Sixteen laptops over ten years are stolen from the Irish Office of Comptroller and Auditor General
Technorati Tag: Security Breach
Date Reported:
8/10/08
Organization:
The Government of Ireland
Contractor/Consultant/Branch:
Department of Social and Family Affairs
Office of the Comptroller and Auditor General ("C&AG")
Victims:
"Social Welfare customers"
Number Affected:
"a maximum of 380,000"
Types of Data:
Name, Personal Public Service Number ("PPSN")*, address, pay amount, and personal information such as marital status, birth date, payment method, payment location, payments to date, free scheme entitlements (Telephone number, Electricity Account number and TV licence number) and commencement date
*Your Personal Public Service Number (PPS No.) is a unique reference number that helps to you to gain access to social welfare benefits, public services and information in Ireland. (Source: Citizens Information Board)
Breach Description:
"THE DEPARTMENT of Social and Family Affairs is contacting 380,000 social welfare recipients after it emerged their personal details were stored on a laptop computer which was stolen more than a year ago."
Reference URL:
Department of Social and Family Affairs Press Release
Department of Social and Family Affairs announcement
Office of the Comptroller and Auditor General Press Release
Data Protection Commissioner Press Release
RTÉ
The Irish Times
Report Credit:
Office of the Comptroller and Auditor General
Response:
From the online sources cited above:
The personal information of 380,000 social welfare recipients has been lost in what the Data Protection Commissioner described as a 'serious incident'.
The information was contained on a laptop stolen from the Office of the Comptroller and Auditor General in April 2007.
[Evan] Can the C&AG argue that they didn't know any better than to store confidential information on an unencrypted laptop? I don't know how anyone nowadays can make such a claim. At what point does it become negligence?
The Department (of Social and Family Affairs) was informed by the Office of the Comptroller and Auditor General on 1st August 2008
[Evan] The laptop went missing in April, 2007 and it wasn't communicated to the affected parties until August, 2008. How is this acceptable? I presume that this time-frame is unacceptable to most people. Shouldn't someone be held accountable? If not, how can anyone expect things to change?
The vast majority of customers affected were in receipt of various social welfare schemes during a period of time in 2005.
The C & AG was conducting an audit of payments on specific schemes for periods in 2005.
Minister for Social and Family Affairs Mary Hanafin has said she is very concerned on a number of grounds about the incident.
Minister Hanafin said she was concerned that such information would be put on a laptop in a readable form and also that 15 months elapsed before her Department was informed last week of the details of the stolen files.
[Evan] These (and others) are very valid concerns.
The information that was provided to an Auditor of the C & AG office in 2007 was provided by us in standard coded format and, with the exception of names and addresses, was not something that would be easily interpreted by the outside public.
[Evan] What is a "standard coded format"? ASCII is a standard coded format, isn't it? I doubt that "standard coded format" means encryption or anything more secure than a simple "decode" (whatever the *&#! that means).
Ms Hanafin said the information included the names, addresses, dates of birth, and PPS numbers of people, adding that bank details were contained in 100,000 of the files.
5,000 of the records relate to those receiving unemployment and employment supports in 2004 from three local offices - Kilbarrack in Co Dublin, Newbridge in Co Kildare, and Cobh in Co Cork.
About a quarter of those affected were having payments made directly through their bank accounts, and the department says it is immediately contacting those people.
If a customer was not in receipt of a welfare payment in the particular month in 2005, their information was not on the laptop and they need not take any further action.
Letters will be issued to all other recipients affected, offering them advice and reassurance about the safety of their information.
[Evan] If I were affected by this breach, a letter probably wouldn't offer me much reassurance.
The information on the laptop was password-protected, but the data was not encrypted.
[Evan] In case you haven't read the hundreds (maybe thousands) of articles regarding operating system (likely Windows) passwords, they are trivial to bypass in most circumstances. Mentioning the fact that the laptop was password-protected is meaningless in terms of providing any semblance of adequate protection against information disclosure.
A period of 16 months has elapsed since this theft occurred and there is no evidence that customer information has been misused or compromised in any way.
[Evan] There is no evidence that the Department is aware of, and there is no evidence that the information HAS BEEN misused. We know from experience and intelligence that information on a lost or stolen laptop without encryption increases the risk of disclosure and misuse unnecessarily. This is the point.
Data Protection Commissioner Billy Hawkes said the theft of the laptop was a "very serious incident" and he expressed concern at the potential implications for those affected
He (Mr. Hawkes) expected all major holders of personal data in the public and private sector to "fully examine all their policies in relation to the collection and storage of data to ensure that incidents of this scale and nature can be avoided in future".
Mr Hawkes praised the department for its decision to contact all of those directly affected.
From the Department of Social and Family Affairs - Questions?
What has or is being done to ensure that this will not happen again?
All bulk personal data is encrypted before it is transmitted to external agencies e.g. banks/post offices. The Departments policy is that no sensitive data is to be downloaded to laptops, and in the exceptional circumstances where this is required the data must be encrypted.
[Evan] It seems reasonable for the Department of Social and Family Affairs to demand third-party compliance with their policy and to audit them for compliance on a regular basis. The companies we work with mandate how auditors (SOX, FDA, etc.) collect and store the information they need to compile in order to complete their work.
The department has set up a dedicated helpline for members of the public if they are affected or if they have any concerns. Advertisements will appear in national and regional newspapers outlining the effects.
Customers can contact the Department at
Freephone (9am to 6pm) (Republic of Ireland Only)
Telephone 00 353 1 4715810 (Outside the Republic of Ireland)
email
Write to PO BOX 12000, Dublin 1
The C&AG says payroll details of staff at seven public bodies were contained in two other stolen laptops.
In all 16 laptops have been stolen from the office over the last 10 years.
[Evan] 16 stolen laptops over 10 years, and nobody though that maybe we should protect these devices, until now?
The C&AG regrets the loss of the laptop computers and the risk that the information on them could be improperly disclosed or misused.
Steps have been taken to reduce the risk of any recurrence through
The Office is currently testing data encryption software for use on information not held within its electronic working papers. This will be implemented as soon as testing is complete.
[Evan] People might want to know a timeline.
Commentary:
It is troubling to read about an incident regarding a government entity where they treat the security of the information they collect so carelessly.
Past Breaches:
Unknown
Date Reported:8/10/08
Organization:
The Government of Ireland
Contractor/Consultant/Branch:
Department of Social and Family Affairs
Office of the Comptroller and Auditor General ("C&AG")
Victims:
"Social Welfare customers"
Number Affected:
"a maximum of 380,000"
Types of Data:
Name, Personal Public Service Number ("PPSN")*, address, pay amount, and personal information such as marital status, birth date, payment method, payment location, payments to date, free scheme entitlements (Telephone number, Electricity Account number and TV licence number) and commencement date
*Your Personal Public Service Number (PPS No.) is a unique reference number that helps to you to gain access to social welfare benefits, public services and information in Ireland. (Source: Citizens Information Board)
Breach Description:
"THE DEPARTMENT of Social and Family Affairs is contacting 380,000 social welfare recipients after it emerged their personal details were stored on a laptop computer which was stolen more than a year ago."
Reference URL:
Department of Social and Family Affairs Press Release
Department of Social and Family Affairs announcement
Office of the Comptroller and Auditor General Press Release
Data Protection Commissioner Press Release
RTÉ
The Irish Times
Report Credit:
Office of the Comptroller and Auditor General
Response:
From the online sources cited above:
The personal information of 380,000 social welfare recipients has been lost in what the Data Protection Commissioner described as a 'serious incident'.
The information was contained on a laptop stolen from the Office of the Comptroller and Auditor General in April 2007.
[Evan] Can the C&AG argue that they didn't know any better than to store confidential information on an unencrypted laptop? I don't know how anyone nowadays can make such a claim. At what point does it become negligence?
The Department (of Social and Family Affairs) was informed by the Office of the Comptroller and Auditor General on 1st August 2008
[Evan] The laptop went missing in April, 2007 and it wasn't communicated to the affected parties until August, 2008. How is this acceptable? I presume that this time-frame is unacceptable to most people. Shouldn't someone be held accountable? If not, how can anyone expect things to change?
The vast majority of customers affected were in receipt of various social welfare schemes during a period of time in 2005.
The C & AG was conducting an audit of payments on specific schemes for periods in 2005.
Minister for Social and Family Affairs Mary Hanafin has said she is very concerned on a number of grounds about the incident.
Minister Hanafin said she was concerned that such information would be put on a laptop in a readable form and also that 15 months elapsed before her Department was informed last week of the details of the stolen files.
[Evan] These (and others) are very valid concerns.
The information that was provided to an Auditor of the C & AG office in 2007 was provided by us in standard coded format and, with the exception of names and addresses, was not something that would be easily interpreted by the outside public.
[Evan] What is a "standard coded format"? ASCII is a standard coded format, isn't it? I doubt that "standard coded format" means encryption or anything more secure than a simple "decode" (whatever the *&#! that means).
Ms Hanafin said the information included the names, addresses, dates of birth, and PPS numbers of people, adding that bank details were contained in 100,000 of the files.
5,000 of the records relate to those receiving unemployment and employment supports in 2004 from three local offices - Kilbarrack in Co Dublin, Newbridge in Co Kildare, and Cobh in Co Cork.
About a quarter of those affected were having payments made directly through their bank accounts, and the department says it is immediately contacting those people.
If a customer was not in receipt of a welfare payment in the particular month in 2005, their information was not on the laptop and they need not take any further action.
Letters will be issued to all other recipients affected, offering them advice and reassurance about the safety of their information.
[Evan] If I were affected by this breach, a letter probably wouldn't offer me much reassurance.
The information on the laptop was password-protected, but the data was not encrypted.
[Evan] In case you haven't read the hundreds (maybe thousands) of articles regarding operating system (likely Windows) passwords, they are trivial to bypass in most circumstances. Mentioning the fact that the laptop was password-protected is meaningless in terms of providing any semblance of adequate protection against information disclosure.
A period of 16 months has elapsed since this theft occurred and there is no evidence that customer information has been misused or compromised in any way.
[Evan] There is no evidence that the Department is aware of, and there is no evidence that the information HAS BEEN misused. We know from experience and intelligence that information on a lost or stolen laptop without encryption increases the risk of disclosure and misuse unnecessarily. This is the point.
Data Protection Commissioner Billy Hawkes said the theft of the laptop was a "very serious incident" and he expressed concern at the potential implications for those affected
He (Mr. Hawkes) expected all major holders of personal data in the public and private sector to "fully examine all their policies in relation to the collection and storage of data to ensure that incidents of this scale and nature can be avoided in future".
Mr Hawkes praised the department for its decision to contact all of those directly affected.
From the Department of Social and Family Affairs - Questions?
What has or is being done to ensure that this will not happen again?
All bulk personal data is encrypted before it is transmitted to external agencies e.g. banks/post offices. The Departments policy is that no sensitive data is to be downloaded to laptops, and in the exceptional circumstances where this is required the data must be encrypted.
[Evan] It seems reasonable for the Department of Social and Family Affairs to demand third-party compliance with their policy and to audit them for compliance on a regular basis. The companies we work with mandate how auditors (SOX, FDA, etc.) collect and store the information they need to compile in order to complete their work.
The department has set up a dedicated helpline for members of the public if they are affected or if they have any concerns. Advertisements will appear in national and regional newspapers outlining the effects.
Freephone (9am to 6pm) (Republic of Ireland Only)
Telephone 00 353 1 4715810 (Outside the Republic of Ireland)
Write to PO BOX 12000, Dublin 1
The C&AG says payroll details of staff at seven public bodies were contained in two other stolen laptops.
In all 16 laptops have been stolen from the office over the last 10 years.
[Evan] 16 stolen laptops over 10 years, and nobody though that maybe we should protect these devices, until now?
The C&AG regrets the loss of the laptop computers and the risk that the information on them could be improperly disclosed or misused.
Steps have been taken to reduce the risk of any recurrence through
- Introducing an encrypted working papers system in 2007
- Limiting the amount of client data held on laptop computers
- Working within client systems where possible
- Ensuring that accounting data transferred to it is done through encrypted media
- Prohibiting the transfer of personal data via e-mail
- Gathering all historic data on portable media and holding it securely for destruction.
The Office is currently testing data encryption software for use on information not held within its electronic working papers. This will be implemented as soon as testing is complete.
[Evan] People might want to know a timeline.
Commentary:
It is troubling to read about an incident regarding a government entity where they treat the security of the information they collect so carelessly.
Past Breaches:
Unknown
Posts Atom 1.0
Comments