Stolen account firm laptop contained personal information
Technorati Tag: Security Breach
Date Reported:
4/24/08
Organization:
Hough, MacAdam & Wartnik LLC
Contractor/Consultant/Branch:
Coos County, Oregon
South Coast Hospice & Palliative Care
Two other undisclosed organizations
Victims:
Client employees
Number Affected:
482
Types of Data:
"name, Social Security number, and other personal information"
Breach Description:
"NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft."
Reference URL:
The World
Report Credit:
Jessica Musicar and Jolene Guzman, Staff Writers at The World
Response:
From the online source cited above:
The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft.
County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
[Evan] We see too many breaches occurring through contractor/vendor relationships.
Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.
[Evan] The fact that thieves DO sometimes hold victims' information for later use is important to remember. This is one reason why one year or two year free credit monitoring (a semi-standard offering by breached companies) is a very limited short term response.
According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.
Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients’ personal information.
[Evan] Quick response.
"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook’s hard drive may have contained your name, Social Security number, and other personal information,"
"We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
[Evan] I wonder why the firm decided not to notify law enforcement about specific information on the computer.
A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.
Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.
it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop’s hard drive.
Some of the information could have been on the laptop since October 2007.
[Evan] This is a long time for personal information to be stored on a mobile device. The longer the time, the higher the risk that the mobile device will be lost or stolen. Right? CPAs now this thing called risk, don't they?
The CPA said the computer was password protected, as were certain files.
[Evan] Oh boy, here it is. The password protection mention. Password protection should not be considered adequate protection is most circumstances (some would argue ALL circumstances). Operating system passwords are simple to circumvent as are many common application passwords.
Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program"
[Evan] And now, the security through obscurity mention. Security through obscurity is a myth. It is not effective.
When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft
"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World.
[Evan] Prudent business people should do many things, and one thing among them is to regularly evaluate the risks involved with the way the handle information. A prudent business person should be able to identify that storing confidential information from multiple clients on a poorly secured laptop is an unnecessary and unacceptable risk.
"We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."
The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable.
[Evan] Careful. Increased frequency of password changes and increased password complexity can very easily lead to an increase in the probability that people will write passwords down. A person writing a password down on a Post-It note will defeat all of these controls (password changes, password complexity, and encryption software).
Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy
[Evan] I am a big proponent of training. People argue about its effectiveness, but my experience has typically shown that it is well worth the time and effort. Training should be fun and interactive, periodic (maybe annual), and followed-up with regular awareness reminders (such as posters, email newsletters, banners, freebies, etc.).
While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.
"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
[Evan] The costs of a breach are significant in soft and hard dollars. What did my grandma say "an ounce of prevention is worth a pound of cure"? Wise advise, maybe she could have been a good information security professional
.
MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
[Evan] The firm is "still not aware is one has occurred" (meaning a breach)? Oh yes, it has occurred! In my definition, if you cannot be reasonably assured that confidential information has remained confidential, then a breach has occurred (not to mention integrity and availability).
More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.
Information on the missing computer was left over from the county’s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.
"They didn’t have confirmation that it was wiped off the computer," he said. 'That’s why they notified (employees)."
Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.
"I think it’s sobering,' she said. "You don’t think about it until something like this happens. This is kind of a wake-up call."
[Evan] This should be a wake-up call. It's really too bad that it takes an personally affecting incident before waking up. Wouldn't it be easier and more cost-effective to do a little research and learn from other people's mistakes?
Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.
"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients’ Social Security numbers.
[Evan] This is the best control so far. You can't lose information that you never had.
Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.
Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice’s board of directors complimented the company for acting so promptly.
"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee.
[Evan] A faux pas (false step) yes, but I would argue against "unfortunate". Unfortunate for the victims, certainly, but not for the firm. Information mismanagement should not be confused with bad luck.
"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, 'Up to this point we have not heard of any repercussions from it.
"I feel that we were very fortunate because, as I understand (it), it’s big business " things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."
Commentary:
Another sad incident of personal information on a poorly secured laptop computer. When I read news articles like this, my blood boils. Do people not know any better? If they don't, then they shouldn't be allowed to create, collect, process, transfer, or store confidential information.
It is Monday morning, so maybe I'm in a bit of a mood.
Past Breaches:
None
Date Reported:4/24/08
Organization:
Hough, MacAdam & Wartnik LLC
Contractor/Consultant/Branch:
Coos County, Oregon
South Coast Hospice & Palliative Care
Two other undisclosed organizations
Victims:
Client employees
Number Affected:
482
Types of Data:
"name, Social Security number, and other personal information"
Breach Description:
"NORTH BEND - The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft."
Reference URL:
The World
Report Credit:
Jessica Musicar and Jolene Guzman, Staff Writers at The World
Response:
From the online source cited above:
The theft of a laptop computer owned by a local accounting firm has made nearly 500 employees of Coos County and private organizations concerned about identity theft.
County officials worry the data may have contained employees’ names, Social Security numbers and other personal information, which had been used in recent audits performed by Hough, MacAdam & Wartnik LLC of North Bend.
[Evan] We see too many breaches occurring through contractor/vendor relationships.
Although, there have been no known reports of identity theft from any of the 482 employees notified, the computer has not been found and, according to a letter from the firm, thieves sometimes hold victims’ information for later use.
[Evan] The fact that thieves DO sometimes hold victims' information for later use is important to remember. This is one reason why one year or two year free credit monitoring (a semi-standard offering by breached companies) is a very limited short term response.
According to a Coos Bay Police press log, at approximately 7:28 a.m. on March 5, officers received a report of a woman flagging down Officer Tony Wetmore, identified as 122 in the log, near Coos Bay City Hall. Crystal Albiar, 30, told Wetmore a laptop computer had been stolen from a vehicle, which, Wetmore said, belonged to Albiar. The victim is listed on the press log as Hough, MacAdam & Wartnik. Albiar is a senior accountant at the firm.
Later that day, a letter from the company was sent to clients stating that a "serious data security incident" may have involved clients’ personal information.
[Evan] Quick response.
"During the night of Tuesday, March 4, 2008, a notebook computer was stolen from a locked vehicle. The notebook’s hard drive may have contained your name, Social Security number, and other personal information,"
"We have notified law enforcement about this incident. This notification included a general report alerting them to the fact that the incident occurred. However, we have not notified them about the presence of your specific information in the data breach."
[Evan] I wonder why the firm decided not to notify law enforcement about specific information on the computer.
A public accounting firm, Hough, MacAdam & Wartnik is locally owned by Jim Hough, Shirley MacAdam and Jayson Wartnik. It opened in July 2004, following the acquisition of the office from Moss Adams LLP. The business dates back to the 1940s.
Shirley MacAdam said the March 5 letters were sent to the 482 employees of four clients - only one of which was a public agency. She demurred from identifying the clients involved, but further investigation revealed the County and South Coast Hospice & Palliative Care in Coos Bay are among the four.
it is possible the four data files from the four clients contained Social Security numbers and addresses of some of the employees on the laptop’s hard drive.
Some of the information could have been on the laptop since October 2007.
[Evan] This is a long time for personal information to be stored on a mobile device. The longer the time, the higher the risk that the mobile device will be lost or stolen. Right? CPAs now this thing called risk, don't they?
The CPA said the computer was password protected, as were certain files.
[Evan] Oh boy, here it is. The password protection mention. Password protection should not be considered adequate protection is most circumstances (some would argue ALL circumstances). Operating system passwords are simple to circumvent as are many common application passwords.
Some of the information contained in the programs require "special knowledge in order to find the personal information inside of the program"
[Evan] And now, the security through obscurity mention. Security through obscurity is a myth. It is not effective.
When MacAdam and other members of the firm learned the computer had been stolen, their first priority was to identify affected clients and to notify them of potential risks. This was done within 24 hours of the theft
"Our concern was to ensure that we are taking all actions that we should as prudent business people, in addition to complying with all regulations regarding proper and timely notification," MacAdam wrote to The World.
[Evan] Prudent business people should do many things, and one thing among them is to regularly evaluate the risks involved with the way the handle information. A prudent business person should be able to identify that storing confidential information from multiple clients on a poorly secured laptop is an unnecessary and unacceptable risk.
"We informed them of the actions they and their employees needed to take. Due to the nature of our work and our internal policies, no client information other than audit data is ever stored on a laptop, so there is no concern that any other client information might be on the stolen laptop."
The firm has since revisited its internal information technology security policy and implemented changes such as increased frequency of password changes, more complex passwords and encryption software when applicable.
[Evan] Careful. Increased frequency of password changes and increased password complexity can very easily lead to an increase in the probability that people will write passwords down. A person writing a password down on a Post-It note will defeat all of these controls (password changes, password complexity, and encryption software).
Additional training also was provided to Hough, MacAdam & Wartnik staff regarding the security policy
[Evan] I am a big proponent of training. People argue about its effectiveness, but my experience has typically shown that it is well worth the time and effort. Training should be fun and interactive, periodic (maybe annual), and followed-up with regular awareness reminders (such as posters, email newsletters, banners, freebies, etc.).
While no reports of identity theft or fraud have been made to the firm, MacAdam said the impacts of the theft have been felt by clients as well as by the firm.
"The impact on HMW has been both time and financial as we took all steps necessary to inform the individuals affected and address all concerns brought to our attention."
[Evan] The costs of a breach are significant in soft and hard dollars. What did my grandma say "an ounce of prevention is worth a pound of cure"? Wise advise, maybe she could have been a good information security professional
.MacAdam noted her firm has never experienced a data breach in the past and is still not aware if one has occurred.
[Evan] The firm is "still not aware is one has occurred" (meaning a breach)? Oh yes, it has occurred! In my definition, if you cannot be reasonably assured that confidential information has remained confidential, then a breach has occurred (not to mention integrity and availability).
More than 300 employees who received paper paychecks from the county may have had their personal information on the laptop, said Coos County Commissioner Kevin Stufflebean.
Information on the missing computer was left over from the county’s 2005-06 audit, Stufflebean said. There is a chance nothing was on the computer, he added.
"They didn’t have confirmation that it was wiped off the computer," he said. 'That’s why they notified (employees)."
Coos County Counsel Jacki Haggerty said she had not received any reports from county employees of any unauthorized use of their information. Still, the incident will raise the level of awareness of possible breaches in the future, according to Haggerty.
"I think it’s sobering,' she said. "You don’t think about it until something like this happens. This is kind of a wake-up call."
[Evan] This should be a wake-up call. It's really too bad that it takes an personally affecting incident before waking up. Wouldn't it be easier and more cost-effective to do a little research and learn from other people's mistakes?
Both the county and Hough, MacAdam & Wartnik are in the process of changing how data is used to make sure no unnecessary personal information is released in future audits. Haggerty said she feels assured by the lengths the firm has gone in order to increase data security.
"They are taking certain steps ... including not requesting or accepting certain information," she said. On the list of banned data includes clients’ Social Security numbers.
[Evan] This is the best control so far. You can't lose information that you never had.
Employees of South Coast Hospice & Palliative Care also received copies of the March 5 letter from the accounting firm.
Carol Gardner, the administrative and personnel manager for South Coast Hospice, said Hough, MacAdam & Wartnik has audited the organization for approximately 10 incident-free years. In fact, Gardner said, the hospice’s board of directors complimented the company for acting so promptly.
"It was one of those unfortunate faux pas," Gardner said of the theft. "This was an unusual situation and proper steps (were) taken to coach and correct that employee.
[Evan] A faux pas (false step) yes, but I would argue against "unfortunate". Unfortunate for the victims, certainly, but not for the firm. Information mismanagement should not be confused with bad luck.
"It did scare me a little bit to think that somebody had access," Gardner said, adding her own son dealt with a four-year struggle after someone stole his identity. However, 'Up to this point we have not heard of any repercussions from it.
"I feel that we were very fortunate because, as I understand (it), it’s big business " things getting stolen out of vehicles ... " I think everyone needs to be aware not to leave anything of value in their vehicles."
Commentary:
Another sad incident of personal information on a poorly secured laptop computer. When I read news articles like this, my blood boils. Do people not know any better? If they don't, then they shouldn't be allowed to create, collect, process, transfer, or store confidential information.
It is Monday morning, so maybe I'm in a bit of a mood.
Past Breaches:
None
Posts Atom 1.0
Comments