Hard drives purchased at Oklahoma auction contained personal information
Technorati Tag: Security Breach
Date Reported:
5/19/08
Organization:
State of Oklahoma
Contractor/Consultant/Branch:
Oklahoma Tax Commission
Oklahoma Corporation Commission
Victims:
Residents
Number Affected:
More than 5,000
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
"OKLAHOMA CITY -- The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently."
Reference URL:
KOCO Channel 5 News
Associated Press via Tulsa World
KTEN Channel 10 News
Report Credit:
KOCO Channel 5 News
Response:
From the online sources cited above:
An Oklahoma City man discovered the names, addresses and Social Security numbers of thousands of Oklahomans on a computer he bought at a government auction.
[Evan] There are people who buy computer equipment at auctions online and in-person specifically for the information they find on the hard drives. This was not the case here, but criminals can (and do) find a plethora of personal information, intellectual property and other confidential information on used computer equipment.
Joe Sill bought 50 computers last month to refurbish and resell as part of his business.
When he found the confidential information from 2003 he said he wanted the public to know.
"I was stunned that the government actually left all this information on the computer."
"People's identities are at risk," he said.
[Evan] Absolutely. Purchasing used hard drives and other data storage devices is one of the easiest methods for crooks to get their hands on confidential information.
The computer was a server labeled for the Oklahoma Tax Commission.
A representative from the commission said in 2005 some computers were transferred to the Corporation Commission where the computer came from.
Corporation Commission spokesman Matt Skinner said the commission is investigating why the computer's hard drive was not cleaned before the auction.
[Evan] Does the commission have the necessary policy and procedures in effect to dictate how the information on hard drives is destroyed when no longer needed? I doubt it.
The Social Security numbers are likely tied to trucking industry data kept on the server by both agencies, Corporation Commission spokesman Matt Skinner said.
"We're backtracking through the inventory sheet and we're working with DCS and tax commission to bring all the paperwork together on this machine."
The Corporation Commission does not usually hold confidential information so it left hard drives in the computers after they are decommissioned, though they are supposed to be erased.
[Evan] No hard drives should ever leave an organization without being processed according to information security policy and procedures (supposing they exist and address data destruction).
Commission representatives say now they will not allow computers to leave their building with hard drives still in them.
[Evan] Then what becomes of the hard drives? Are they destroyed, stored securely, or just discarded? I don't see any problem with leaving hard drives in the computers as long as they are securely wiped. Using a free program like Darik's Boot and Nuke works fine for many applications but can be time consuming.
Commentary:
If information is no longer needed by an organization, destroy it. If encryption had been employed by the commission, this would have provided an additional layer in a defense-in-depth approach to information security.
My suggested policy statements state something like (at a minimum):
Confidential Data:
Past Breaches:
April, 2008 - Oklahoma Department of Corrections SQL exposure
Date Reported:5/19/08
Organization:
State of Oklahoma
Contractor/Consultant/Branch:
Oklahoma Tax Commission
Oklahoma Corporation Commission
Victims:
Residents
Number Affected:
More than 5,000
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
"OKLAHOMA CITY -- The Oklahoma Corporation Commission is removing hard drives from all surplus computer equipment after a server containing the names and Social Security numbers of thousands of residents was sold at an auction recently."
Reference URL:
KOCO Channel 5 News
Associated Press via Tulsa World
KTEN Channel 10 News
Report Credit:
KOCO Channel 5 News
Response:
From the online sources cited above:
An Oklahoma City man discovered the names, addresses and Social Security numbers of thousands of Oklahomans on a computer he bought at a government auction.
[Evan] There are people who buy computer equipment at auctions online and in-person specifically for the information they find on the hard drives. This was not the case here, but criminals can (and do) find a plethora of personal information, intellectual property and other confidential information on used computer equipment.
Joe Sill bought 50 computers last month to refurbish and resell as part of his business.
When he found the confidential information from 2003 he said he wanted the public to know.
"I was stunned that the government actually left all this information on the computer."
"People's identities are at risk," he said.
[Evan] Absolutely. Purchasing used hard drives and other data storage devices is one of the easiest methods for crooks to get their hands on confidential information.
The computer was a server labeled for the Oklahoma Tax Commission.
A representative from the commission said in 2005 some computers were transferred to the Corporation Commission where the computer came from.
Corporation Commission spokesman Matt Skinner said the commission is investigating why the computer's hard drive was not cleaned before the auction.
[Evan] Does the commission have the necessary policy and procedures in effect to dictate how the information on hard drives is destroyed when no longer needed? I doubt it.
The Social Security numbers are likely tied to trucking industry data kept on the server by both agencies, Corporation Commission spokesman Matt Skinner said.
"We're backtracking through the inventory sheet and we're working with DCS and tax commission to bring all the paperwork together on this machine."
The Corporation Commission does not usually hold confidential information so it left hard drives in the computers after they are decommissioned, though they are supposed to be erased.
[Evan] No hard drives should ever leave an organization without being processed according to information security policy and procedures (supposing they exist and address data destruction).
Commission representatives say now they will not allow computers to leave their building with hard drives still in them.
[Evan] Then what becomes of the hard drives? Are they destroyed, stored securely, or just discarded? I don't see any problem with leaving hard drives in the computers as long as they are securely wiped. Using a free program like Darik's Boot and Nuke works fine for many applications but can be time consuming.
Commentary:
If information is no longer needed by an organization, destroy it. If encryption had been employed by the commission, this would have provided an additional layer in a defense-in-depth approach to information security.
My suggested policy statements state something like (at a minimum):
Confidential Data:
- When stored on mobile devices and media, protections and encryption measures provided through mechanisms approved by Management must be employed.
- Must be encrypted with strong encryption when transferred electronically to any entity outside of XYZ.
- Must be destroyed when no longer needed subject to the XYZ Data Retention Policy. Destruction may be accomplished by:
-
- “Hard Copy” materials must be destroyed by shredding or another approved process that destroys the data beyond either recognition or reconstruction as per the XYZ Data Destruction and Re-Use Standard.
- Electronic storage media that will be re-used must be overwritten according to the XYZ Data Destruction and Re-Use Standard.
- Electronic storage media that will not be re-used must be physically destroyed according to the XYZ Data Destruction and Re-Use Standard.
- Deleting files or formatting the media is NOT an acceptable method of destroying Confidential Data
Past Breaches:
April, 2008 - Oklahoma Department of Corrections SQL exposure
Posts Atom 1.0
Comments