Ex-Delphi employee information was on stolen flash drive
Technorati Tag: Security Breach
Date Reported:
8/1/08
Organization:
State of Ohio
Contractor/Consultant/Branch:
Ohio Department of Job & Family Services
Victims:
Former Delphi employees
Number Affected:
2,600
Types of Data:
"names, addresses, telephone numbers as well as the Social Security numbers"
Breach Description:
"COLUMBUS — A flash drive with Social Security numbers and other personal information from 2,600 former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing."
Reference URL:
Dayton Daily News
Report Credit:
William Hershey, Dayton Daily News
Response:
From the online source cited above:
COLUMBUS — A flash drive with Social Security numbers and other personal information from 2,600 former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing.
[Evan] You would think that it's bad enough that these workers are out of jobs.
Helen Jones-Kelley, director of the Job and Family Services department, said on Friday, Aug. 1, that letters have been sent to all those affected.
[Evan] I would love to read a copy of this letter.
The incident occurred on July 25 in Lebanon, Jones-Kelley said.
The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers.
[Evan] Why was this information ever permitted to be stored on a laptop or a flash drive?
"We are also doing an investigation with the state Highway Patrol about what happened," Jones-Kelley said.
"The flash drive was removed from her lap top while she (the employee) was having lunch."
[Evan] One of the problems that led to this breach was poor information security awareness.
Jones-Kelley declined to identify the employee but said that leaving the laptop unattended was a violation of department policy.
[Evan] I am a little troubled by this statement. I agree that it is a bad practice to leave a laptop unattended, but I think it is at least equally bad practice to allow sensitive information to be stored on a laptop without encryption (and/or additional controls), and at least equally bad practice to allow sensitive information to be stored on an unprotected flash drive. There is no mention of these poor practices as policy violations.
Depending on the circumstances, the breach could lead to disciplinary action up to and including termination, Jones-Kelley said.
[Evan] Employees need to be held accountable for violations of policy, but I question how well informed this person was. It almost seems like there is an attempt to paint the employee as a scapegoat in order to hide the fact that information security practices at the Ohio Department of Job & Family Services are substandard.
Commentary:
Do you think that there are bigger information security problems at the Ohio Department of Job & Family Services?
Past Breaches:
Unknown
Date Reported:8/1/08
Organization:
State of Ohio
Contractor/Consultant/Branch:
Ohio Department of Job & Family Services
Victims:
Former Delphi employees
Number Affected:
2,600
Types of Data:
"names, addresses, telephone numbers as well as the Social Security numbers"
Breach Description:
"COLUMBUS — A flash drive with Social Security numbers and other personal information from 2,600 former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing."
Reference URL:
Dayton Daily News
Report Credit:
William Hershey, Dayton Daily News
Response:
From the online source cited above:
COLUMBUS — A flash drive with Social Security numbers and other personal information from 2,600 former Dayton-area Delphi workers was removed from the unattended laptop of a state employee and is missing.
[Evan] You would think that it's bad enough that these workers are out of jobs.
Helen Jones-Kelley, director of the Job and Family Services department, said on Friday, Aug. 1, that letters have been sent to all those affected.
[Evan] I would love to read a copy of this letter.
The incident occurred on July 25 in Lebanon, Jones-Kelley said.
The drive included the names, addresses, telephone numbers as well as the Social Security numbers of the workers.
[Evan] Why was this information ever permitted to be stored on a laptop or a flash drive?
"We are also doing an investigation with the state Highway Patrol about what happened," Jones-Kelley said.
"The flash drive was removed from her lap top while she (the employee) was having lunch."
[Evan] One of the problems that led to this breach was poor information security awareness.
Jones-Kelley declined to identify the employee but said that leaving the laptop unattended was a violation of department policy.
[Evan] I am a little troubled by this statement. I agree that it is a bad practice to leave a laptop unattended, but I think it is at least equally bad practice to allow sensitive information to be stored on a laptop without encryption (and/or additional controls), and at least equally bad practice to allow sensitive information to be stored on an unprotected flash drive. There is no mention of these poor practices as policy violations.
Depending on the circumstances, the breach could lead to disciplinary action up to and including termination, Jones-Kelley said.
[Evan] Employees need to be held accountable for violations of policy, but I question how well informed this person was. It almost seems like there is an attempt to paint the employee as a scapegoat in order to hide the fact that information security practices at the Ohio Department of Job & Family Services are substandard.
Commentary:
Do you think that there are bigger information security problems at the Ohio Department of Job & Family Services?
Past Breaches:
Unknown
Posts Atom 1.0
Security awareness would have helped with both issues - knowing that it was unwise to leave the laptop/thumb drive unattended, and knowing that such sensitive data should not have been put on the thumb drive, or indeed the laptop, without encrytion in the first place. Awareness of these issues by the managers and IT professionals at the department, as well as the users/employees, would have increased security further, and might have been enough for the department to have invested in appropriate technical controls (such as encryption and thumb drive access controls).
Awareness and technical controls are complementary, not alternatives.
Gary.
Reply to this