Kingston Tax Service client information on stolen computers
Technorati Tag: Security Breach
Date Reported:
8/19/08
Organization:
Contractor/Consultant/Branch:
None
Victims:
Clients
Number Affected:
Unknown
Types of Data:
"information which can be used by identity thieves"
Breach Description:
"KINGSTON - Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft."
Reference URL:
North Kitsap Herald
Report Credit:
Kelly Joines, North Kitsap Herald and Props to PogoWasRight
Response:
From the online source cited above:
KINGSTON - Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft.
Office computers were stolen from the business in a reported burglary sometime before 8:30 a.m. on Aug. 12
"On each of the computers is information which can be used by identity thieves," states a letter sent to clients of Kingston Tax Services.
[Evan] On each of the computers? How many computers with sensitive information were stolen?
The letter, written by owner Tim Winsor the day the robbery report was filed, urges clients to put fraud alerts on their credit cards "immediately."
Although the information was password protected, Winsor states they aren’t foolproof.
[Evan] A fool would believe that password protection alone is sufficient to protect confidential information.
He advises clients need to call banks, credit card companies, the Social Security Administration and three credit bureau fraud departments: TransUnion, Equifax and Experian.
According to Kitsap County Sheriff reports, Winsor believes he saw his computer for sale on Craigslist.com on Aug. 14, two days after the burglary.
[Evan] This is interesting. It probably would have been a good idea to purchase the computer from the seller. If the computer was the one stolen, Mr. Winsor and police would have a good lead. I am pretty sure that the police are following up on this anyway.
The computer he suspects was his was listed without its hard drive.
[Evan] Bad news.
He couldn’t positively identify the computer because photos of the computer’s serial number were blurred
Winslow advises his clients in the letter: "Be prepared to make a call for each member of your family who was reported on any income tax return in the last eight years. ... I urge you for your own protection to make the phone calls to the agencies and bureaus above RIGHT NOW."
[Evan] Eight years worth of sensitive information belonging to clients stored on multiple computers with only password protection in a poorly secured office. Sounds like a bad thing just waiting to happen.
Kitsap County Sheriff spokesman Scott Wilson said in his experience working with law enforcement, identity theft happens "in a matter of minutes."
Typically, he said, thieves know there is a small window of opportunity to use the information gleaned off hard drives. After the burglary is known, the window of time closes as more people are notified and put fraud alerts on their cards.
[Evan] There is not a small window of opportunity to the use someone's information. A Social Security number does not have an expiration date (maybe upon death). People will put fraud alerts and invest time and money into identity theft protections, but people also have short memories. An identity thief can either use the information him/herself, sell the information to someone in the "underground" market, or hold on to it for later use.
"They (identity thieves) know it’s time sensitive," Wilson said. "I’ve seen really good crooks turn around and use that information in a matter of minutes."
Winsor was not available to comment on the theft before press time.
Attempts to contact him resulted in a company answering service stating if clients are calling in regards to a letter received, it contains all the information known at present.
"Right now we are focusing on replacing our computer system," the message states.
[Evan] It would be a good idea to focus on securing the computer system as well, don't you think?
Because of the burglary, the message also states that filing some deadlines were missed.
The building - currently in the middle of a remodel - was broken into after thieves broke a pane of glass located next to the door knob.
[Evan] Easy entry. There are no mentions of alarm systems, CCTV, etc.
Multiple foot prints were seen outside of the door and it appeared someone tried kicking the door in before breaking the glass, according to the report.
Commentary:
This is a breach that affects a small company in a relatively low crime area. Information security was likely an after-thought for Kingston Tax Service, as it is for many companies. I wonder if Mr. Winsor knows (or knew) about the risks of how his company uses information. If not, then what? Learn, seek advice, and/or hire a consultant.
Past Breaches:
Unknown
Date Reported:8/19/08
Organization:
Contractor/Consultant/Branch:
None
Victims:
Clients
Number Affected:
Unknown
Types of Data:
"information which can be used by identity thieves"
Breach Description:
"KINGSTON - Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft."
Reference URL:
North Kitsap Herald
Report Credit:
Kelly Joines, North Kitsap Herald and Props to PogoWasRight
Response:
From the online source cited above:
KINGSTON - Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft.
Office computers were stolen from the business in a reported burglary sometime before 8:30 a.m. on Aug. 12
"On each of the computers is information which can be used by identity thieves," states a letter sent to clients of Kingston Tax Services.
[Evan] On each of the computers? How many computers with sensitive information were stolen?
The letter, written by owner Tim Winsor the day the robbery report was filed, urges clients to put fraud alerts on their credit cards "immediately."
Although the information was password protected, Winsor states they aren’t foolproof.
[Evan] A fool would believe that password protection alone is sufficient to protect confidential information.
He advises clients need to call banks, credit card companies, the Social Security Administration and three credit bureau fraud departments: TransUnion, Equifax and Experian.
According to Kitsap County Sheriff reports, Winsor believes he saw his computer for sale on Craigslist.com on Aug. 14, two days after the burglary.
[Evan] This is interesting. It probably would have been a good idea to purchase the computer from the seller. If the computer was the one stolen, Mr. Winsor and police would have a good lead. I am pretty sure that the police are following up on this anyway.
The computer he suspects was his was listed without its hard drive.
[Evan] Bad news.
He couldn’t positively identify the computer because photos of the computer’s serial number were blurred
Winslow advises his clients in the letter: "Be prepared to make a call for each member of your family who was reported on any income tax return in the last eight years. ... I urge you for your own protection to make the phone calls to the agencies and bureaus above RIGHT NOW."
[Evan] Eight years worth of sensitive information belonging to clients stored on multiple computers with only password protection in a poorly secured office. Sounds like a bad thing just waiting to happen.
Kitsap County Sheriff spokesman Scott Wilson said in his experience working with law enforcement, identity theft happens "in a matter of minutes."
Typically, he said, thieves know there is a small window of opportunity to use the information gleaned off hard drives. After the burglary is known, the window of time closes as more people are notified and put fraud alerts on their cards.
[Evan] There is not a small window of opportunity to the use someone's information. A Social Security number does not have an expiration date (maybe upon death). People will put fraud alerts and invest time and money into identity theft protections, but people also have short memories. An identity thief can either use the information him/herself, sell the information to someone in the "underground" market, or hold on to it for later use.
"They (identity thieves) know it’s time sensitive," Wilson said. "I’ve seen really good crooks turn around and use that information in a matter of minutes."
Winsor was not available to comment on the theft before press time.
Attempts to contact him resulted in a company answering service stating if clients are calling in regards to a letter received, it contains all the information known at present.
"Right now we are focusing on replacing our computer system," the message states.
[Evan] It would be a good idea to focus on securing the computer system as well, don't you think?
Because of the burglary, the message also states that filing some deadlines were missed.
The building - currently in the middle of a remodel - was broken into after thieves broke a pane of glass located next to the door knob.
[Evan] Easy entry. There are no mentions of alarm systems, CCTV, etc.
Multiple foot prints were seen outside of the door and it appeared someone tried kicking the door in before breaking the glass, according to the report.
Commentary:
This is a breach that affects a small company in a relatively low crime area. Information security was likely an after-thought for Kingston Tax Service, as it is for many companies. I wonder if Mr. Winsor knows (or knew) about the risks of how his company uses information. If not, then what? Learn, seek advice, and/or hire a consultant.
Past Breaches:
Unknown
Posts Atom 1.0
I am disgusted with the security at Kingston Tax, which was totally inadequate considering the high possibility of multiple identity theft. I am a very recent client of this tax office and certainly would not use them again! I did not like Tim anyway and I felt he overcharged me. I hope he gets put out of business.....
Reply to this