Ten stolen computers from Oakland Unified School District

Technorati Tag:

Date Reported: 
9/3/08

Organization: 

Contractor/Consultant/Branch:

Victims:
"new employees"

Number Affected:
"about 100"

Types of Data:
"Social Security numbers and other personal information"*

*It is presumed that the information on the stolen computers included employment records for new hires.

Breach Description:
"OAKLAND, Calif.- Oakland school district officials are notifying all new employees of the district that their personal data may have been compromised after computers were stolen from the district's human resources offices."

Reference URL:

Report Credit:
KPIX TV Channel 5 News

Response:
From the online sources cited above:

Thieves stole 10 desktop computers containing employees' personal information Tuesday night from the Oakland school district's main office on Second Avenue, a district official said

The computers contained the Social Security numbers and other personal information of about 100 new hires.
[Evan] At least these computers weren't laptops (I don't think).  A case could be made that these computers should not have had sensitive information stored locally and/or should have been encrypted, but this may be a stretch for some organizations.

The burglary was discovered this morning in the Human Resources Department.

The computers were in the second-floor Human Resources Department and appear to be the only equipment stolen.

The incident is believed to have occurred about 11 p.m., with the burglars scaling a rear wall and using wire cutters to get through a metal window screen, said district spokesman Troy Flint.
[Evan] This is interesting.  The break-in may have occurred at 11 p.m. Tuesday night, but was not discovered until Wednesday morning.  The burglars knew how to enter the building without setting off the alarm system.

District officials wouldn't speculate whether the thieves targeted the human resources office specifically, but they said that given where they entered the building and the location of the office, it appeared possible that they had knowledge of district procedures, Flint said.

"This appears to be a highly sophisticated operation," he said.
[Evan] I am going to generalize a bit.  Sophisticated burglars target what they perceive to be high-value assets.  What value did they perceive in this heist?  Would it be worth ~100 Social Security numbers?

The district does not employ 24-hour security at the main office, nor does it have security cameras.

The school district reportedly is in the process of notifying all employees whose information may have been compromised.

School district officers, the Oakland Police Department, the Alameda County District Attorney and the FBI are working together to solve the crime and enhance security at the district office, district officials said.

The FBI was brought into the investigation because of the potential for identify theft, Flint said.

Commentary:
There are few details available that outline what information security controls were in place to prevent this incident.  We do know that there was a chink in the physical security armor that allowed the burglars to access a restricted area without timely detection.  This incident is a valid argument supporting the fact that information security is combination of physical, administrative and technical control. 

Past Breaches:
Unknown


Posted by Evan Francen at 9/4/2008 2:14 PM
Categories: Oakland Unified School District, Stolen Computer
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 9/16/2008 10:47 AM Brianc wrote:
    We were broken into at my old company. I had one of those Cuda cards installed in my PC. When I got to the office, after getting a call from the alarm company, all that was lost were two monitors and a few other office supplies. The computer with the CUDA card was laying in the reception area wailing away with an ear piercing alarm.

    Unfortunately the thieves broke the front window which cost me $2500 to fix but they did not leave with any data. That is the most costly part of computer theft. Data breach of customer and personal records is so expensive to fix that everyone should do everything possible to prevent theft. Tie down your computer, link it to an alarm system, install tracking and anything else you can think of. The cost of doing everything necessary to protect DATA is minuscule compared to the cost of recovering from a customer or personal record DATA breach
    Reply to this

Page: 1 of 1
    Leave a comment