City of Yuma accidentally emails Social Security numbers
Technorati Tag: Security Breach
Date Reported:
7/24/08
Organization:
City of Yuma (AZ)
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
"about 300"
Types of Data:
Social Security numbers
Breach Description:
"The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel earlier this week"
Reference URL:
The Yuma Sun
Report Credit:
Joyce Lobeck, The Yuma Sun
Response:
From the online source cited above:
The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel earlier this week
However, the error was quickly taken care of it and "every step was taken to delete, retract and protect the information," according to a letter sent to those employees who were affected
[Evan] I guess a lot depends on how many people were sent the mistaken email. If it was a small group of people, then it is fairly easy to visit each system and delete the information. I am more concerned with how the mistake happened in the first place.
The e-mail was quickly removed from employee computers by the city's technology department, said Greg Hyland, city spokesman
[Evan] Is the city's technology department responsible for information security or does the city employ dedicated information security personnel? I presume that the city's technology department handles information security. If this is the case, then it would be a very good idea for the city to arrange for regular (maybe semi-annual) information security/risk assessments.
In some cases, he said, the information was removed so quickly, some recipients didn't even receive or open the e-mail.
"There is no evidence any the information left the confines of the city walls," he said.
[Evan] If the information did leave the city walls, would the city know it? It takes more than checking "Sent Items".
Hyland said the inadvertent e-mail contained the Social Security numbers of about 300 city employees out of the total 1,150 people who work for the city either full- or part-time
As a precaution, letters were sent to employees whose information was in the e-mail, advising them that they might want to contact credit reporting agencies to put a fraud alert on their credit reports.
Commentary:
Again, I am stuck on how the error was committed in the first place. We could speculate, but there are too many possibilities. It would probably be a good idea for the city to invest in an assessment of their current information security practices, especially if they don't have an abundance of resources available.
Past Breaches:
Unknown
Date Reported:7/24/08
Organization:
City of Yuma (AZ)
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
"about 300"
Types of Data:
Social Security numbers
Breach Description:
"The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel earlier this week"
Reference URL:
The Yuma Sun
Report Credit:
Joyce Lobeck, The Yuma Sun
Response:
From the online source cited above:
The Social Security numbers of about 300 city of Yuma employees were "unintentionally released" in an e-mail sent to city administrative personnel earlier this week
However, the error was quickly taken care of it and "every step was taken to delete, retract and protect the information," according to a letter sent to those employees who were affected
[Evan] I guess a lot depends on how many people were sent the mistaken email. If it was a small group of people, then it is fairly easy to visit each system and delete the information. I am more concerned with how the mistake happened in the first place.
The e-mail was quickly removed from employee computers by the city's technology department, said Greg Hyland, city spokesman
[Evan] Is the city's technology department responsible for information security or does the city employ dedicated information security personnel? I presume that the city's technology department handles information security. If this is the case, then it would be a very good idea for the city to arrange for regular (maybe semi-annual) information security/risk assessments.
In some cases, he said, the information was removed so quickly, some recipients didn't even receive or open the e-mail.
"There is no evidence any the information left the confines of the city walls," he said.
[Evan] If the information did leave the city walls, would the city know it? It takes more than checking "Sent Items".
Hyland said the inadvertent e-mail contained the Social Security numbers of about 300 city employees out of the total 1,150 people who work for the city either full- or part-time
As a precaution, letters were sent to employees whose information was in the e-mail, advising them that they might want to contact credit reporting agencies to put a fraud alert on their credit reports.
Commentary:
Again, I am stuck on how the error was committed in the first place. We could speculate, but there are too many possibilities. It would probably be a good idea for the city to invest in an assessment of their current information security practices, especially if they don't have an abundance of resources available.
Past Breaches:
Unknown
Posts Atom 1.0
Evan - let me clarify some things for you...
1) The original e-mail list had about 25 senior level administrative assistants on it. These staff members deal with sensitive/personal information on a daily basis and know how to protect that sensitive information.
2) The e-mail was sent during the lunch hour and was removed by IT in a matter of minutes - most of the original recipients NEVER received the original e-mail.
3) The City of Yuma takes our information security very seriously and has policies in place to protect the City's information. This e-mail was sent only to internal mailboxes. The City of Yuma's Information Technology Department did a thorough inspection and there is NO evidence that the information left the City's electronic systems.
The City was being proactive and felt it was in the best interest of all concerned to alert the affected employees and ask them to be vigilant about their credit reports.
If you'd like to discuss this further, please call me at (RED) ACT-EDEF.
Reply to this
Greg,
Thank you for the clarification. Your comment provides details that should alleviate some peoples' concerns.
I also appreciate your invitation to call. If I get some time in the next day or so, I will call you. I do still have a couple of questions.
Thanks again!
Evan
Reply to this