Errant email exposed Department of Consumer Affairs personal information
Technorati Tag: Security Breach
Date Reported:
6/23/08
Organization:
State of California
Contractor/Consultant/Branch:
Department of Consumer Affairs
Victims:
"employees, contractors and board members"
Number Affected:
5,000
Types of Data:
Names, Social Security numbers, salaries and job titles
Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "
Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight
Report Credit:
Malcolm Maclachlan, Capitol Weekly
Response:
From the online sources cited above:
The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.
About 2,800 of the people on the list are current, full-time employees of the DCA.
The document also included some former employees and numerous contractors, such as people who proctor state job examinations.
The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.
The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.
The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.
"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.
The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.
However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.
The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.
From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic
One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.
He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."
“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.
The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.
People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.
Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.
He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.
Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.
Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if you're not paying attention.
There are a number of controls we information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).
Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost
Date Reported:6/23/08
Organization:
State of California
Contractor/Consultant/Branch:
Department of Consumer Affairs
Victims:
"employees, contractors and board members"
Number Affected:
5,000
Types of Data:
Names, Social Security numbers, salaries and job titles
Breach Description:
"The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers. "
Reference URL:
Capitol Weekly
Central Valley Business Times
Props to PogoWasRight
Report Credit:
Malcolm Maclachlan, Capitol Weekly
Response:
From the online sources cited above:
The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.
About 2,800 of the people on the list are current, full-time employees of the DCA.
The document also included some former employees and numerous contractors, such as people who proctor state job examinations.
The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.
The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich.
The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.
"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
[Evan] Troubling to you? It's probably hard for the victims to have much sympathy.
The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name.
However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
[Evan] Addresses and phone numbers are usually pretty easy to obtain and I would think are much easier to get than Social Security numbers. Unless of course, somebody emails them to you.
The DCA is the main state agency charged with protecting consumers in California.
[Evan] Ironic.
From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
[Evan] More Ironic
One agency whose employees were not on the list is the California Office of Privacy Protection (OPP).
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document.
He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."
“We kind of know where it was sent,” Mr. Heimerich says
[Evan] Sounds obvious, but did anyone check "Sent Items"? Yeah, probably. Seriously though, does the California DCA not log email sends and receives? It's hard to believe that the sender does not recall to whom they sent the email and there is no evidence of where it was sent.
The breach was discovered on Monday, June 9
[Evan] It took 3 or 4 days for the DCA to discover the breach.
People's whose names were on the list were sent an email the next day and an official letter a week later.
[Evan] Excellent quick notification. The earlier that a breach is detected and communicated to the data owner, the better.
Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list.
[Evan] One year of protection does not adequately protect information that has a lifespan that far exceeds that one year. Most bad guys (or gals) know that the "standard" organization response to a breach includes one year of free credit monitoring/protection, so many of them wait a year to use the information. It is also important to point out that just because a person monitors their credit, does not mean that their identity isn't being used elsewhere. It's a scary thought, but it's a broken system.
He said the DCA had not yet determined how much these protections were going to cost.
[Evan] You can estimate the cost yourself.
Commentary:
I like how Microsoft Outlook helps me when I am typing an email address in the "To:" field of my email. It saves me some keystrokes and a few precious seconds. Sometimes I am in such a hurry that I don't even notice that Outlook put in the wrong email address. I type my email, click send and away I go onto another task. A couple of days later, I get a call from a customer asking where their information is. I state that I sent it to them a couple of days ago, but they claim to have never gotten my email. I look through my sent items, and HOLY #*@^! I just sent some confidential (sensitive and potentially damaging) information to a competitor instead of my customer.
Sound conceivable? Have you ever sent an embarrassing email to the wrong person? It is very easy to do if you're not paying attention.
There are a number of controls we information security guys can put in place to reduce the risk of this happening. One of the best is information security training and awareness (kind of an administrative control).
Past Breaches:
State of California:
March, 2008 - San Quentin visitor and volunteer information lost
Posts Atom 1.0
I am interested in who it is that determines standards for not only security, but adequate protection for breaches of security. As I have followed your blog it appears to me that there indeed has developed a "standard" response by entities who lose people's names, social security number, addresses, credit card information and more it to "offer one year of credit monitoring". Who made the decision that this is adequate. Some thieves might try to use information extremely quickly while more cunning users of such data might sit on it for a year or more before they decide to start wreaking havoc with the data. Is anyone aware of any Court cases on this issue of an adequate remedy?
Reply to this
Mr. Curbo,
I did try to call you and sent you an email regarding your inquiry into my interest in providing "expert testimony" in your case. I presume that you did not get my email. Are you still seeking assistance?
Standards are determined largely by information security professionals and the professional organizations with whom they are affiliated with. There are developed standards and best practices, but not all apply to all organizations in all situations. Effective information security starts with information security governance and defining "acceptable risk" or "risk appetite". It then flows into strategy, information security program design, management and constant improvement all built with the goal of bringing residual risk into alignment with acceptable risk. Obviously, this a very high level view, but it gives you a very basic idea. It should also be mentioned that information security is viewed by many people as being an integral part of "due care".
I don't know why one year of credit monitoring has become a semi-de facto standard offering. Maybe it was just a matter of one organization offering it and others following suit. It certainly is NOT adequate in my opinion or that shared by many of my information security counterparts.
There are plenty of court cases, with more being filed almost daily. I cannot cite one off the top of my head, but I am sure that some research would turn something up.
-Evan
Reply to this
Interesting update from the Sacramento Bee:
"A state worker recently married to a member of the Mexican Mafia who is in Corcoran State Prison for a gang murder is herself under investigation for downloading more than 5,000 names, addresses and Social Security numbers belonging to Department of Consumer Affairs staff, The Bee has learned."
Reply to this