Stolen laptop affects West Virginia state employees
Technorati Tag: Security Breach
Date Reported:
10/7/08
Organization:
State of West Virginia
Contractor/Consultant/Branch:
Department of Administration
Insurance Commission
Department of Health and Human Resources
Suttle and Stalnaker*
*The laptop was stolen from an employee of Suttle and Stalnaker, but the theft affected persons in each of the state departments listed above.
Location:
Charleston, West Virginia
Victims:
Employees
Number Affected:
535**
**425 Insurance Commission employees and 110 Department of Health and Human Resources employees
Types of Data:
"payroll and benefits information" including "full names or first names and Social Security numbers"
Breach Description:
"CHARLESTON, W.Va.- More than 500 state employees are being told that a laptop computer containing their personnel information, including Social Security numbers, was stolen last week, state officials confirmed Monday."
Reference URL:
The Charleston Gazette
The Associated Press via Herald-Dispatch.com
Report Credit:
Phil Kabler, The Charleston Gazette
Response:
From the online sources cited above:
CHARLESTON, W.Va.- More than 500 state employees are being told that a laptop computer containing their personnel information, including Social Security numbers, was stolen last week, state officials confirmed Monday.
The stolen laptop contains information for 425 employees with the state Insurance Commission, as well as 110 employees in the Bureau of Medical Services and Child Support Enforcement Division of the Department of Health and Human Resources.
[Evan] Encryption, anyone?
Administration spokeswoman Diane Holley said the department began sending out letters of notification on Friday as a precaution, after a subcontractor conducting an independent audit of the agencies reported the laptop as stolen.
[Evan] I don't see how sending out a letter after an incident has occurred is a "precaution". Precaution is care taken in advance, but this is care taken afterwards.
"We try to encourage people to make every attempt to protect their information, including using fraud alert services," she said.
[Evan] And the people try to encourage their government "to make every attempt to protect their information".
The laptop, belonging to an employee of the accounting firm Suttle and Stalnaker, was stolen from the employee's vehicle while it was parked in a downtown Charleston parking lot.
The computer contains payroll and benefits information for the employees, and includes either full names or first names and Social Security numbers for the 535 employees.
the state has been assured that all information on the computer is password-protected
[Evan] Uh, so?
Holley says it likely can't be accessed because it is protected by a password.
[Evan] How do you address the ignorance? It's frustrating. For people that don't know what I am talking about; password protection (likely operating system logon) is easily bypassed in a matter of minutes by people with minimal skill. By itself, it is NOT adequate protection for sensitive information confidentiality.
"It is our protocol to send out notification, even through we feel the information has not been compromised," she said. (Diane Holley)
[Evan] More ignorance.
Jason Butcher, with the state Insurance Commission, said police reports indicated that the laptop had been left on the car seat visible to passersby, and appears to be a crime of opportunity.
[Evan] Does anyone see a problem with leaving a laptop containing sensitive information on a car seat in plain view of passersby? Well I suppose it was password protected!
"It doesn't appear they were after the laptop because of the information it contained," he said of the theft.
Holley added, "We take any breach of security very seriously and place priority in protecting all confidential data maintained by state government or any contractor which we utilize."
Commentary:
In this case, the response to the breach is much more frustrating than the breach itself. What do they plan to do in order to reduce the risk of future incidents? Giving the Department of Administration the benefit of the doubt, maybe they just had the wrong spokesperson making statements.
Past Breaches:
Unknown
Date Reported:10/7/08
Organization:
State of West Virginia
Contractor/Consultant/Branch:
Department of Administration
Insurance Commission
Department of Health and Human Resources
Suttle and Stalnaker*
*The laptop was stolen from an employee of Suttle and Stalnaker, but the theft affected persons in each of the state departments listed above.
Location:
Charleston, West Virginia
Victims:
Employees
Number Affected:
535**
**425 Insurance Commission employees and 110 Department of Health and Human Resources employees
Types of Data:
"payroll and benefits information" including "full names or first names and Social Security numbers"
Breach Description:
"CHARLESTON, W.Va.- More than 500 state employees are being told that a laptop computer containing their personnel information, including Social Security numbers, was stolen last week, state officials confirmed Monday."
Reference URL:
The Charleston Gazette
The Associated Press via Herald-Dispatch.com
Report Credit:
Phil Kabler, The Charleston Gazette
Response:
From the online sources cited above:
CHARLESTON, W.Va.- More than 500 state employees are being told that a laptop computer containing their personnel information, including Social Security numbers, was stolen last week, state officials confirmed Monday.
The stolen laptop contains information for 425 employees with the state Insurance Commission, as well as 110 employees in the Bureau of Medical Services and Child Support Enforcement Division of the Department of Health and Human Resources.
[Evan] Encryption, anyone?
Administration spokeswoman Diane Holley said the department began sending out letters of notification on Friday as a precaution, after a subcontractor conducting an independent audit of the agencies reported the laptop as stolen.
[Evan] I don't see how sending out a letter after an incident has occurred is a "precaution". Precaution is care taken in advance, but this is care taken afterwards.
"We try to encourage people to make every attempt to protect their information, including using fraud alert services," she said.
[Evan] And the people try to encourage their government "to make every attempt to protect their information".
The laptop, belonging to an employee of the accounting firm Suttle and Stalnaker, was stolen from the employee's vehicle while it was parked in a downtown Charleston parking lot.
The computer contains payroll and benefits information for the employees, and includes either full names or first names and Social Security numbers for the 535 employees.
the state has been assured that all information on the computer is password-protected
[Evan] Uh, so?
Holley says it likely can't be accessed because it is protected by a password.
[Evan] How do you address the ignorance? It's frustrating. For people that don't know what I am talking about; password protection (likely operating system logon) is easily bypassed in a matter of minutes by people with minimal skill. By itself, it is NOT adequate protection for sensitive information confidentiality.
"It is our protocol to send out notification, even through we feel the information has not been compromised," she said. (Diane Holley)
[Evan] More ignorance.
Jason Butcher, with the state Insurance Commission, said police reports indicated that the laptop had been left on the car seat visible to passersby, and appears to be a crime of opportunity.
[Evan] Does anyone see a problem with leaving a laptop containing sensitive information on a car seat in plain view of passersby? Well I suppose it was password protected!
"It doesn't appear they were after the laptop because of the information it contained," he said of the theft.
Holley added, "We take any breach of security very seriously and place priority in protecting all confidential data maintained by state government or any contractor which we utilize."
Commentary:
In this case, the response to the breach is much more frustrating than the breach itself. What do they plan to do in order to reduce the risk of future incidents? Giving the Department of Administration the benefit of the doubt, maybe they just had the wrong spokesperson making statements.
Past Breaches:
Unknown
Posted by Evan Francen at 10/9/2008 2:42 PM 
Categories: Stolen Laptop, State of West Virginia, Suttle and Stalnaker
Categories: Stolen Laptop, State of West Virginia, Suttle and Stalnaker
Posts Atom 1.0
Comments