Computers stolen from City of Fresno contractor
Technorati Tag: Security Breach
Date Reported:
10/21/08
Organization:
City of Fresno
Contractor/Consultant/Branch:
KRM Risk Management & Insurance Services
Location:
Fresno, California
Victims:
Current and former City of Fresno employees
Number Affected:
"close to 5700"
Types of Data:
"names, dates of birth, addresses and Social Security numbers"
Breach Description:
"More than 5,700 former and current city of Fresno employees could be at risk of identity theft after an Oct. 12 break-in at a private company that processes workers' compensation claims."
Reference URL:
The Fresno Bee
ABC Channel 30 News
Report Credit:
Denny Boyles, The Fresno Bee
Response:
From the online sources cited above:
Fresno police say everything from electronics to personal items was taken from a northwest Fresno office. Including a computer with confidential information on more than five thousand city employees ... Like social security numbers.
More than 5,700 former and current city of Fresno employees could be at risk of identity theft after an Oct. 12 break-in at a private company that processes workers' compensation claims.
Fresno police say the burglar alarm never went off
[Evan] Not a very good burglar alarm then is it? It isn't clear whether the burglar alarm malfunctioned or was simply bypassed.
Fresno Police Chief Jerry Dyer said, "The people had to know specifically what they were looking for because the location from where the computers were taken were in a separate room in this particular suite."
Investigators believe the suspects set fire to the business minutes after the break in to try to cover up the crime.
Officials notified affected workers on Tuesday, more than a week after the break-in at KRM Risk Management.
[Evan] One week to notify is acceptable and maybe even exceptional.
"Only those employees they believe will be affected were notified," said city spokeswoman Patti Miller.
The break-in was announced to senior officials on Monday by Terry Bond, Fresno's personnel director.
Among the items stolen was a computer containing personal information including names, dates of birth, addresses and Social Security numbers of former and current employees who have filed workers' compensation claims since 1973.
[Evan] Since 1973?! Thirty frickin' five year-old sensitive information? Why? If there is no legal or regulatory requirement to keep information, and there is no business requirement to keep information, DESTROY IT. Most of us dictate how we do this through the use of a data retention policy/program.
Hundreds are or were police officers.
Dyer said, "Fortunately, the computer is password protected. That's not to say that it cannot be breached."
[Evan] We all know (or should know) that password protection is not really much protection at all in most instances. This breach portrays a good example why sensitive data at rest in all stores (mobile and immobile) should be encrypted.. The risk of sensitive information disclosure is less significant if the information store is immobile, but as you can see the risk is still present and should be accounted for. Consider this in your risk assessments (assuming you do them).
Police are reviewing video surveillance, hoping to get a closer look at who was last entering and leaving the business.
Investigators have not ruled out the possibility the crime was an inside job.
Those whose identity may have been compromised will be contacted, and they will get free credit monitoring for three months.
[Evan] I have never seen an organization offer three months of credit monitoring. We have seen many that offer none, some offer a year, and a few offer up to two years. What good will three months of credit monitoring do?
Commentary:
I am slightly less critical of sensitive information compromise through an unencrypted stolen desktop computer or server than I am about a laptop or flash drive. There are very few organizations who encrypt all sensitive data at rest, which may be OK if the risks in not doing so are quantified, communicated and accepted.
Past Breaches:
Unknown
Date Reported:10/21/08
Organization:
City of Fresno
Contractor/Consultant/Branch:
KRM Risk Management & Insurance Services
Location:
Fresno, California
Victims:
Current and former City of Fresno employees
Number Affected:
"close to 5700"
Types of Data:
"names, dates of birth, addresses and Social Security numbers"
Breach Description:
"More than 5,700 former and current city of Fresno employees could be at risk of identity theft after an Oct. 12 break-in at a private company that processes workers' compensation claims."
Reference URL:
The Fresno Bee
ABC Channel 30 News
Report Credit:
Denny Boyles, The Fresno Bee
Response:
From the online sources cited above:
Fresno police say everything from electronics to personal items was taken from a northwest Fresno office. Including a computer with confidential information on more than five thousand city employees ... Like social security numbers.
More than 5,700 former and current city of Fresno employees could be at risk of identity theft after an Oct. 12 break-in at a private company that processes workers' compensation claims.
Fresno police say the burglar alarm never went off
[Evan] Not a very good burglar alarm then is it? It isn't clear whether the burglar alarm malfunctioned or was simply bypassed.
Fresno Police Chief Jerry Dyer said, "The people had to know specifically what they were looking for because the location from where the computers were taken were in a separate room in this particular suite."
Investigators believe the suspects set fire to the business minutes after the break in to try to cover up the crime.
Officials notified affected workers on Tuesday, more than a week after the break-in at KRM Risk Management.
[Evan] One week to notify is acceptable and maybe even exceptional.
"Only those employees they believe will be affected were notified," said city spokeswoman Patti Miller.
The break-in was announced to senior officials on Monday by Terry Bond, Fresno's personnel director.
Among the items stolen was a computer containing personal information including names, dates of birth, addresses and Social Security numbers of former and current employees who have filed workers' compensation claims since 1973.
[Evan] Since 1973?! Thirty frickin' five year-old sensitive information? Why? If there is no legal or regulatory requirement to keep information, and there is no business requirement to keep information, DESTROY IT. Most of us dictate how we do this through the use of a data retention policy/program.
Hundreds are or were police officers.
Dyer said, "Fortunately, the computer is password protected. That's not to say that it cannot be breached."
[Evan] We all know (or should know) that password protection is not really much protection at all in most instances. This breach portrays a good example why sensitive data at rest in all stores (mobile and immobile) should be encrypted.. The risk of sensitive information disclosure is less significant if the information store is immobile, but as you can see the risk is still present and should be accounted for. Consider this in your risk assessments (assuming you do them).
Police are reviewing video surveillance, hoping to get a closer look at who was last entering and leaving the business.
Investigators have not ruled out the possibility the crime was an inside job.
Those whose identity may have been compromised will be contacted, and they will get free credit monitoring for three months.
[Evan] I have never seen an organization offer three months of credit monitoring. We have seen many that offer none, some offer a year, and a few offer up to two years. What good will three months of credit monitoring do?
Commentary:
I am slightly less critical of sensitive information compromise through an unencrypted stolen desktop computer or server than I am about a laptop or flash drive. There are very few organizations who encrypt all sensitive data at rest, which may be OK if the risks in not doing so are quantified, communicated and accepted.
Past Breaches:
Unknown
Posted by Evan Francen at 10/22/2008 9:57 PM 
Categories: Stolen Computer, KRM Risk Management, City of Fresno
Categories: Stolen Computer, KRM Risk Management, City of Fresno
Posts Atom 1.0
Comments