San Francisco Department of Human Services information found in dumpster
Technorati Tag: Security Breach
Date Reported:
7/23/08
Organization:
City and County of San Francisco
Contractor/Consultant/Branch:
Department of Human Services
Victims:
Clients
Number Affected:
"Potentially thousands of people"
Types of Data:
Case files and other confidential information including names, Social Security card copies, drivers license copies, passport copies, bank statements, and "other sensitive personal information"
Breach Description:
A local San Francisco television station (KTVU) has uncovered a breach involving confidential personal information thrown in the curbside garbage. The sensitive information is from the San Francisco Department of Human Services.
Reference URL:
KTVU Channel 2 News
Report Credit:
KTVU Channel 2 News
Response:
From the online source cited above:
A KTVU investigation has uncovered a potentially serious security breach from San Francisco city agency that has put some people's most private personal data literally out on the street.
[Evan] We expect our corporations and non-profits to abide by the law and provide adequate protection for confidential information, but we should be able to hold our government to a higher standard, shouldn't we?
Potentially thousands of people's personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins.
A KTVU cameraman caught two individuals with pick-up trucks stopping briefly before hauling away armloads of paper.
[Evan] It's one thing to expose the information; it's another to know that it has been taken.
No one challenges them as they steal from the unsecured blue bins.
[Evan] If you take something out of the garbage, something that has been thrown away, is it stealing?
A closer look shows some of what they left behind: confidential documents from the San Francisco Human Services Department.
"Someone grabbed their hand in there and pulled out someone's social security card and an i.d. I think that's probably all you need to go places. And just seeing that sent it home that I could not leave anything out," - Lance Williams, a local resident
Peering into one of the bins, Williams illustrated how easily someone would be able to commit identity theft. "Well, already I have a first and last name. And unfortunately I see someone's social security number. I don't think I need to see any more than that."
The agency handles the case loads of 8,000 San Franciscans
"Oh my god! People's information. They're supposed to have a lock on it. It's supposed to be shredded," Okorie exclaimed. "Don't they have a paper shredder? I have a paper shredder at home myself!" - Cati Okorie, a recent agency client
In some cases entire case files were discarded.
Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.
"Who's the supervisor of this whole place? I want to know. Can you explain how these are in an alley in an unlocked box?" asked Okorie.
Trent Rohrer is the head of San Francisco Human Services. Rohrer showed KTVU how the personal information is supposed to be disposed of, placed in locked bins.
"We do have a whole set of policies and procedures to prevent this stuff from happening, and clearly there are flaws in that," said Rohrer
[Evan] Policy and procedure don't prevent anything if they are not followed. Policy and procedure are not followed if they are not communicated well and there is no perceived sanction for non-compliance. There may not be a flaw in the policy and procedure as it pertains to disposal of confidential information. The flaw may be in the way they are communicated and enforced.
"We'll go from top to bottom to see if there's an internal identity theft ring going on or if there's something external going on. We'll get to the bottom of it," said Rohrer.
[Evan] I hope that someone will hold Mr. Roher accountable to this promise.
"It sounds like this would be an alley that would lead identity thieves to the good stuff that they're looking for. It's like cash. When you have hundred dollar bills, you're not going to leave them unattended" - Joanne McNabb is the chief of the California Office of Privacy Protection
Almost immediately after KTVU discovered the security breech, San Francisco officials imposed a number of reforms, including many more secure waste paper disposal sites, new training for employees, and a new policy of never placing any garbage cans out on the street at the Department of Human Services.
[Evan] How common is it to find an organization react only after something bad happens? Isn't it more effective to be proactive?
Commentary:
There is much more to this story than what has been reported.
What do you suppose was the cause of this breach? Was it something simple like a worker having a bad day? Maybe it's just an employee that is overworked? Is it something more sinister like someone who is disgruntled? Sometimes its a worker that is poorly trained, and just didn't know any better. Could the cause of this breach be something more significant like poor information security management in general? I did notice is that there is no information security department or position on the DHS organizational chart. Is this a sign?
We can only speculate. Either way, the end result is not good in this case.
Past Breaches:
Unknown
Date Reported:7/23/08
Organization:
City and County of San Francisco
Contractor/Consultant/Branch:
Department of Human Services
Victims:
Clients
Number Affected:
"Potentially thousands of people"
Types of Data:
Case files and other confidential information including names, Social Security card copies, drivers license copies, passport copies, bank statements, and "other sensitive personal information"
Breach Description:
A local San Francisco television station (KTVU) has uncovered a breach involving confidential personal information thrown in the curbside garbage. The sensitive information is from the San Francisco Department of Human Services.
Reference URL:
KTVU Channel 2 News
Report Credit:
KTVU Channel 2 News
Response:
From the online source cited above:
A KTVU investigation has uncovered a potentially serious security breach from San Francisco city agency that has put some people's most private personal data literally out on the street.
[Evan] We expect our corporations and non-profits to abide by the law and provide adequate protection for confidential information, but we should be able to hold our government to a higher standard, shouldn't we?
Potentially thousands of people's personal information was exposed after a San Francisco agency left confidential files in unsecured curbside garbage and recycling bins.
A KTVU cameraman caught two individuals with pick-up trucks stopping briefly before hauling away armloads of paper.
[Evan] It's one thing to expose the information; it's another to know that it has been taken.
No one challenges them as they steal from the unsecured blue bins.
[Evan] If you take something out of the garbage, something that has been thrown away, is it stealing?
A closer look shows some of what they left behind: confidential documents from the San Francisco Human Services Department.
"Someone grabbed their hand in there and pulled out someone's social security card and an i.d. I think that's probably all you need to go places. And just seeing that sent it home that I could not leave anything out," - Lance Williams, a local resident
Peering into one of the bins, Williams illustrated how easily someone would be able to commit identity theft. "Well, already I have a first and last name. And unfortunately I see someone's social security number. I don't think I need to see any more than that."
The agency handles the case loads of 8,000 San Franciscans
"Oh my god! People's information. They're supposed to have a lock on it. It's supposed to be shredded," Okorie exclaimed. "Don't they have a paper shredder? I have a paper shredder at home myself!" - Cati Okorie, a recent agency client
In some cases entire case files were discarded.
Blown up copies of social security cards, driver's licenses, passports, bank statements and other sensitive personal information were all left in these unlocked bins.
"Who's the supervisor of this whole place? I want to know. Can you explain how these are in an alley in an unlocked box?" asked Okorie.
Trent Rohrer is the head of San Francisco Human Services. Rohrer showed KTVU how the personal information is supposed to be disposed of, placed in locked bins.
"We do have a whole set of policies and procedures to prevent this stuff from happening, and clearly there are flaws in that," said Rohrer
[Evan] Policy and procedure don't prevent anything if they are not followed. Policy and procedure are not followed if they are not communicated well and there is no perceived sanction for non-compliance. There may not be a flaw in the policy and procedure as it pertains to disposal of confidential information. The flaw may be in the way they are communicated and enforced.
"We'll go from top to bottom to see if there's an internal identity theft ring going on or if there's something external going on. We'll get to the bottom of it," said Rohrer.
[Evan] I hope that someone will hold Mr. Roher accountable to this promise.
"It sounds like this would be an alley that would lead identity thieves to the good stuff that they're looking for. It's like cash. When you have hundred dollar bills, you're not going to leave them unattended" - Joanne McNabb is the chief of the California Office of Privacy Protection
Almost immediately after KTVU discovered the security breech, San Francisco officials imposed a number of reforms, including many more secure waste paper disposal sites, new training for employees, and a new policy of never placing any garbage cans out on the street at the Department of Human Services.
[Evan] How common is it to find an organization react only after something bad happens? Isn't it more effective to be proactive?
Commentary:
There is much more to this story than what has been reported.
What do you suppose was the cause of this breach? Was it something simple like a worker having a bad day? Maybe it's just an employee that is overworked? Is it something more sinister like someone who is disgruntled? Sometimes its a worker that is poorly trained, and just didn't know any better. Could the cause of this breach be something more significant like poor information security management in general? I did notice is that there is no information security department or position on the DHS organizational chart. Is this a sign?
We can only speculate. Either way, the end result is not good in this case.
Past Breaches:
Unknown
Posts Atom 1.0
Comments