Former Texas Lottery employee takes personal information
Technorati Tag: Security Breach
Date Reported:
10/31/08
Organization:
State of Texas
Contractor/Consultant/Branch:
Texas Lottery Commission
Location:
Austin, Texas
Victims:
Lottery winners
Number Affected:
"More than 89,000"
Types of Data:
Sensitive information including "names, Social Security numbers, addresses and prize amounts"
Breach Description:
"More than 89,000 lottery winners are being notified that sensitive information about them including their names, Social Security numbers, addresses and prize amounts were taken from the agency without permission by a former employee."
Reference URL:
Houston Chronicle
Report Credit:
Lisa Sandberg, Houston Chronicle
Response:
From the online source cited above:
AUSTIN — The Texas Lottery Commission is alerting tens of thousands of lottery winners that they're on a not-so-lucky list.
More than 89,000 lottery winners are being notified that sensitive information about them including their names, Social Security numbers, addresses and prize amounts were taken from the agency without permission by a former employee.
The 39-year-old computer analyst, who left the state commission last year after eight years on the job, apparently copied onto computer disks sensitive information on thousands of lottery commission employees, retailers and vendors, as well.
[Evan] This is a serious problem in many companies and organizations. Information security involvement in exit procedures can help, but only so much.
The employee, who told investigators he eventually copied the data onto his work computer at the Texas Comptroller's Office, has not been charged.
The case is being investigated by the Travis County District Attorney's office.
Investigators with the Texas Comptroller's Office said they have no evidence the information was used to commit fraud.
[Evan] Maybe not yet, but the information was clearly no longer under the control of the custodian (the Texas Lottery Commission). The risk of fraud is at least increased.
the Lottery Commission is advising those they contact to place a fraud alert on their credit files
Dawn Nettles, the lottery commission's unofficial watchdog, blamed the agency for lax security procedures.
"The guy clearly did wrong. He should not have had any personal data on his work computer. However, he should not have been able to copy the files. There should have been a password required," she said.
[Evan] Huh? The "guy" should not have had any possession of or access to personal information unless he requires it to complete authorized tasks on behalf of the owner. Possession and access should cease immediately upon termination of employment (or prior). I agree that he should not have been able to copy the files, but I don't think password protection offers much protection either.
Agency spokesman Bobby Heith said that while officials were looking at measures to prevent similar acts from occurring, no new security procedures had yet been adopted.
[Evan] Hopefully there will be. If not new procedures, lets hope for better ones.
In August, investigators with the Comptroller's Office were asked to examine the computer files of the former lottery employee, who was working for the comptroller.
[Evan] This is interesting. Who asked investigators to look into this and why?
They discovered sensitive data on 27,000 individuals, the majority of them winners. Subsequent searches turned up data on 78,000 additional individuals, including 62,000 winners.
The agency notified people in the first group last month and began sending out letters to the 78,000 people this past week.
[Evan] This has to have some significant cost. Should the former employee be required to compensate (pay restitution)?
Several days after he was fired, the employee told investigators that prior to leaving the lottery commission, "I indiscriminantly [sic] copied all the files from the My DOC folder to a CD/DVD which I carried (to subsequent jobs)," according to a search warrant.
[Evan] This happens much more often than we would like to admit. Most companies own or are responsible for the information they possess. The information created by their employees does not belong to employees. The personal information certainly does not belong to the employee!
The employee added he wanted the information "for possible future reference as a programmer at other state agencies."
[Evan] A programmer? Does this mean that he copied source code as well? Its conceivable.
Commentary:
This breach highlights a significant deficiency with many organizational information security programs. How do we prevent, detect, and respond to employees taking organization-owned, sensitive information with them when they leave? Some organizations walk an employee out immediately upon receiving notice. Some organizations go through an information security inventory and audit when a key employee leaves. Some organizations include other information security steps in exit procedures. What do you do? Given today's current economic climate, when layoffs are more prominent, organizations need to address this issue as soon as possible.
Past Breaches:
Unknown
Date Reported:10/31/08
Organization:
State of Texas
Contractor/Consultant/Branch:
Texas Lottery Commission
Location:
Austin, Texas
Victims:
Lottery winners
Number Affected:
"More than 89,000"
Types of Data:
Sensitive information including "names, Social Security numbers, addresses and prize amounts"
Breach Description:
"More than 89,000 lottery winners are being notified that sensitive information about them including their names, Social Security numbers, addresses and prize amounts were taken from the agency without permission by a former employee."
Reference URL:
Houston Chronicle
Report Credit:
Lisa Sandberg, Houston Chronicle
Response:
From the online source cited above:
AUSTIN — The Texas Lottery Commission is alerting tens of thousands of lottery winners that they're on a not-so-lucky list.
More than 89,000 lottery winners are being notified that sensitive information about them including their names, Social Security numbers, addresses and prize amounts were taken from the agency without permission by a former employee.
The 39-year-old computer analyst, who left the state commission last year after eight years on the job, apparently copied onto computer disks sensitive information on thousands of lottery commission employees, retailers and vendors, as well.
[Evan] This is a serious problem in many companies and organizations. Information security involvement in exit procedures can help, but only so much.
The employee, who told investigators he eventually copied the data onto his work computer at the Texas Comptroller's Office, has not been charged.
The case is being investigated by the Travis County District Attorney's office.
Investigators with the Texas Comptroller's Office said they have no evidence the information was used to commit fraud.
[Evan] Maybe not yet, but the information was clearly no longer under the control of the custodian (the Texas Lottery Commission). The risk of fraud is at least increased.
the Lottery Commission is advising those they contact to place a fraud alert on their credit files
Dawn Nettles, the lottery commission's unofficial watchdog, blamed the agency for lax security procedures.
"The guy clearly did wrong. He should not have had any personal data on his work computer. However, he should not have been able to copy the files. There should have been a password required," she said.
[Evan] Huh? The "guy" should not have had any possession of or access to personal information unless he requires it to complete authorized tasks on behalf of the owner. Possession and access should cease immediately upon termination of employment (or prior). I agree that he should not have been able to copy the files, but I don't think password protection offers much protection either.
Agency spokesman Bobby Heith said that while officials were looking at measures to prevent similar acts from occurring, no new security procedures had yet been adopted.
[Evan] Hopefully there will be. If not new procedures, lets hope for better ones.
In August, investigators with the Comptroller's Office were asked to examine the computer files of the former lottery employee, who was working for the comptroller.
[Evan] This is interesting. Who asked investigators to look into this and why?
They discovered sensitive data on 27,000 individuals, the majority of them winners. Subsequent searches turned up data on 78,000 additional individuals, including 62,000 winners.
The agency notified people in the first group last month and began sending out letters to the 78,000 people this past week.
[Evan] This has to have some significant cost. Should the former employee be required to compensate (pay restitution)?
Several days after he was fired, the employee told investigators that prior to leaving the lottery commission, "I indiscriminantly [sic] copied all the files from the My DOC folder to a CD/DVD which I carried (to subsequent jobs)," according to a search warrant.
[Evan] This happens much more often than we would like to admit. Most companies own or are responsible for the information they possess. The information created by their employees does not belong to employees. The personal information certainly does not belong to the employee!
The employee added he wanted the information "for possible future reference as a programmer at other state agencies."
[Evan] A programmer? Does this mean that he copied source code as well? Its conceivable.
Commentary:
This breach highlights a significant deficiency with many organizational information security programs. How do we prevent, detect, and respond to employees taking organization-owned, sensitive information with them when they leave? Some organizations walk an employee out immediately upon receiving notice. Some organizations go through an information security inventory and audit when a key employee leaves. Some organizations include other information security steps in exit procedures. What do you do? Given today's current economic climate, when layoffs are more prominent, organizations need to address this issue as soon as possible.
Past Breaches:
Unknown
Posted by Evan Francen at 11/6/2008 10:53 AM 
Categories: Texas Lottery Commission, Employee Mistake, State of Texas
Categories: Texas Lottery Commission, Employee Mistake, State of Texas
Posts Atom 1.0
Comments