Backup server is stolen from Minnesota Veterans Homes
Technorati Tag: Security Breach
Date Reported:
7/18/08
Organization:
State of Minnesota
Contractor/Consultant/Branch:
Minnesota Department of Veterans Affairs
Minnesota Veterans Homes
Minneapolis
Victims:
Residents and some dependents
Number Affected:
336
Types of Data:
"telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses"
Breach Description:
"A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents, according to an official with the Minnesota Department of Veterans Affairs."
Reference URL:
Minnesota Department of Veterans Affairs News Release
StarTribune
Report Credit:
Minnesota Department of Veterans Affairs
Response:
From the online sources cited above:
St. Paul, Minn. – A back-up network server has been discovered among the items missing from the break-in that occurred at the Minneapolis Veterans Home early Sunday morning, July 13.
The server, stored in a locked room, did contain personal information on Minneapolis Veterans Home residents and some dependents.
contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses
The data was password protected.
Although law enforcement officials do not know if the server was the target of the burglary, the Minnesota Department of Veterans Affairs is taking all steps possible to immediately inform employees, residents and families of this potential breach.
The department will also provide comprehensive information on protection from identify theft in the event that someone would use this data to commit fraud, and will alert any resident or family member if the department becomes aware of any unusual financial activity.
Other items taken in the break-in from Buildings six and 10 include a tool kit, two musical keyboards, a guitar, Nintendo Wii, and laptop computer that did not contain information about residents, employees, or financial data.
Building 6 houses residents and resident-support departments and Building 10 houses the personnel and finance departments.
No residents, employees, or other individuals reported direct contact with the perpetrators.
Minneapolis Veterans Home is in the process of evaluating current on-site security measures.
"It is very unfortunate the Minneapolis Veterans Home has experienced this deliberate criminal act. We will take every action necessary to continue to protect the safety and security of our residents and employees.", Deputy Commissioner Gil Acevedo
there is no indication that the thieves have used the data
"The building was locked, and the doors were locked," he said (Mr. Acevedo). "We do have 24-hour security on campus. We are going to review our security policy and see how we can improve that."
In addition to fully cooperating with law enforcement as they investigate the theft, MDVA is conducting an internal review of hardware storage and has asked the Minnesota Office of Enterprise Technology to review all data security systems.
Currently, all personal data stored on MDVA portable devices is encrypted.
Commentary:
As I read the news release and the report from the StarTribune, I was looking for something meaningful to comment about. I am not intimate with the security program at MDVA, but based on the content of the news release, it seems like they have a pretty good understanding of some information security concepts. The news release gives an adequate amount of information and I get the sense that MDVA knows what they are doing.
This breach brings to mind data-at-rest encryption. A data-centric information security program dictates the same controls around information, no matter where it is. In this model, the server housing the confidential data should employ encryption. Obviously there is a higher probability that portable devices will be lost or stolen, but this case proves that servers are not immune.
On a personal note, what kind of thief steals from an organization like Minnesota Veterans Homes? The people living in these homes and whose personal information has been put at increased risk of disclosure, are people who served in our military and sacrificed more than some of us ever will.
Past Breaches:
State of Minnesota:
December, 2007 - Laptop stolen from Minnesota Department of Commerce vendor
Date Reported:7/18/08
Organization:
State of Minnesota
Contractor/Consultant/Branch:
Minnesota Department of Veterans Affairs
Minnesota Veterans Homes
Minneapolis
Victims:
Residents and some dependents
Number Affected:
336
Types of Data:
"telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses"
Breach Description:
"A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses for the home's 336 residents, according to an official with the Minnesota Department of Veterans Affairs."
Reference URL:
Minnesota Department of Veterans Affairs News Release
StarTribune
Report Credit:
Minnesota Department of Veterans Affairs
Response:
From the online sources cited above:
St. Paul, Minn. – A back-up network server has been discovered among the items missing from the break-in that occurred at the Minneapolis Veterans Home early Sunday morning, July 13.
The server, stored in a locked room, did contain personal information on Minneapolis Veterans Home residents and some dependents.
contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers and some medical information, including diagnoses
The data was password protected.
Although law enforcement officials do not know if the server was the target of the burglary, the Minnesota Department of Veterans Affairs is taking all steps possible to immediately inform employees, residents and families of this potential breach.
The department will also provide comprehensive information on protection from identify theft in the event that someone would use this data to commit fraud, and will alert any resident or family member if the department becomes aware of any unusual financial activity.
Other items taken in the break-in from Buildings six and 10 include a tool kit, two musical keyboards, a guitar, Nintendo Wii, and laptop computer that did not contain information about residents, employees, or financial data.
Building 6 houses residents and resident-support departments and Building 10 houses the personnel and finance departments.
No residents, employees, or other individuals reported direct contact with the perpetrators.
Minneapolis Veterans Home is in the process of evaluating current on-site security measures.
"It is very unfortunate the Minneapolis Veterans Home has experienced this deliberate criminal act. We will take every action necessary to continue to protect the safety and security of our residents and employees.", Deputy Commissioner Gil Acevedo
there is no indication that the thieves have used the data
"The building was locked, and the doors were locked," he said (Mr. Acevedo). "We do have 24-hour security on campus. We are going to review our security policy and see how we can improve that."
In addition to fully cooperating with law enforcement as they investigate the theft, MDVA is conducting an internal review of hardware storage and has asked the Minnesota Office of Enterprise Technology to review all data security systems.
Currently, all personal data stored on MDVA portable devices is encrypted.
Commentary:
As I read the news release and the report from the StarTribune, I was looking for something meaningful to comment about. I am not intimate with the security program at MDVA, but based on the content of the news release, it seems like they have a pretty good understanding of some information security concepts. The news release gives an adequate amount of information and I get the sense that MDVA knows what they are doing.
This breach brings to mind data-at-rest encryption. A data-centric information security program dictates the same controls around information, no matter where it is. In this model, the server housing the confidential data should employ encryption. Obviously there is a higher probability that portable devices will be lost or stolen, but this case proves that servers are not immune.
On a personal note, what kind of thief steals from an organization like Minnesota Veterans Homes? The people living in these homes and whose personal information has been put at increased risk of disclosure, are people who served in our military and sacrificed more than some of us ever will.
Past Breaches:
State of Minnesota:
December, 2007 - Laptop stolen from Minnesota Department of Commerce vendor
Posts Atom 1.0
Comments