OnPoint Community Credit Union notifies members of stolen laptop
Technorati Tag: Security Breach
Date Reported:
11/04/08
Organization:
OnPoint Community Credit Union
Contractor/Consultant/Branch:
"a Michigan-based auditing firm" (not named)
Location:
Portland, Oregon
Victims:
Members
Number Affected:
Unknown
Types of Data:
Account information, including names, account numbers and balances for certain types of deposit accounts.
Breach Description:
OnPoint Community Credit Union has notified its members of a laptop computer reported stolen from a Michigan-based auditing firm. The laptop computer contained confidential information belonging to members of the credit union.
Reference URL:
Jack Bog's Blog
Report Credit:
Jack Bogdanski, Jack Bog's Blog and a special thanks to informed reader Rob Thomas at InsideIDTheft.info
Response:
From the online source cited above:
The security of our members is very important to OnPoint Community Credit Union.
I am writing to let you know about the theft of a laptop computer that may have contained limited member account data.
[Evan] There is no mention of encryption anywhere in the notification letter, so I will assume that there was none used.
A laptop belonging to a Michigan-based auditing firm was stolen on Oct. 29 after the auditors had left OnPoint's offices for the day.
[Evan] I think we would all be amazed by the number of auditors (and other service providers) who carry sensitive client information with them unencrypted and otherwise poorly protected. I can think of a half-dozen off the top of my head. Service providers who practice poor information security do their clients a serious disservice. On the other hand, clients need to dictate and enforce information security in service provider relationships too.
The auditors cannot confirm that their employees deleted all OnPoint information from the laptop before leaving the credit union's offices, as required by OnPoint policy.
Because of this uncertainty, we are taking a number of precautions, including proactively notifying our members.
This appears to have been a random theft.
[Evan] Supposing there is such a thing.
There is no indication the thief has accessed any data, or is even aware of it.
The laptop may have contained member account information, including names, account numbers and balances for certain types of deposit accounts.
The information in question did not include any credit card information, debit card information or account passwords.
It also did not include Social Security numbers, taxpayer ID numbers, birthdates or other types of information typically used for identity theft.
[Evan] Thank God!
You do not need to take any action at this time but as always, we recommend monitoring your accounts.
If you detect any unauthorized access, contact us immediately at or .
OnPoint employees will continue to carefully check member identification over the telephone at our branches.
Please be sure you have proper identification when you call or visit a branch.
I sincerely apologize for this situation and any inconvenience it may cause you.
Please don't hesitate to call us or visit you branch if you have questions or conerns.
Commentary:
The notification letter is signed by Robert A. Stuart, the President and CEO of OnPoint Community Credit Union. I have written this before, but I am always more impressed when a corporate leader addresses information security (even if it is in a breach notification). After all, does the information security "buck" not stop at the leadership of an organization?
I would like to know who the auditor was/is.
Past Breaches:
Unknown
Date Reported:11/04/08
Organization:
OnPoint Community Credit Union
Contractor/Consultant/Branch:
"a Michigan-based auditing firm" (not named)
Location:
Portland, Oregon
Victims:
Members
Number Affected:
Unknown
Types of Data:
Account information, including names, account numbers and balances for certain types of deposit accounts.
Breach Description:
OnPoint Community Credit Union has notified its members of a laptop computer reported stolen from a Michigan-based auditing firm. The laptop computer contained confidential information belonging to members of the credit union.
Reference URL:
Jack Bog's Blog
Report Credit:
Jack Bogdanski, Jack Bog's Blog and a special thanks to informed reader Rob Thomas at InsideIDTheft.info
Response:
From the online source cited above:
The security of our members is very important to OnPoint Community Credit Union.
I am writing to let you know about the theft of a laptop computer that may have contained limited member account data.
[Evan] There is no mention of encryption anywhere in the notification letter, so I will assume that there was none used.
A laptop belonging to a Michigan-based auditing firm was stolen on Oct. 29 after the auditors had left OnPoint's offices for the day.
[Evan] I think we would all be amazed by the number of auditors (and other service providers) who carry sensitive client information with them unencrypted and otherwise poorly protected. I can think of a half-dozen off the top of my head. Service providers who practice poor information security do their clients a serious disservice. On the other hand, clients need to dictate and enforce information security in service provider relationships too.
The auditors cannot confirm that their employees deleted all OnPoint information from the laptop before leaving the credit union's offices, as required by OnPoint policy.
Because of this uncertainty, we are taking a number of precautions, including proactively notifying our members.
This appears to have been a random theft.
[Evan] Supposing there is such a thing.
There is no indication the thief has accessed any data, or is even aware of it.
The laptop may have contained member account information, including names, account numbers and balances for certain types of deposit accounts.
The information in question did not include any credit card information, debit card information or account passwords.
It also did not include Social Security numbers, taxpayer ID numbers, birthdates or other types of information typically used for identity theft.
[Evan] Thank God!
You do not need to take any action at this time but as always, we recommend monitoring your accounts.
If you detect any unauthorized access, contact us immediately at or .
OnPoint employees will continue to carefully check member identification over the telephone at our branches.
Please be sure you have proper identification when you call or visit a branch.
I sincerely apologize for this situation and any inconvenience it may cause you.
Please don't hesitate to call us or visit you branch if you have questions or conerns.
Commentary:
The notification letter is signed by Robert A. Stuart, the President and CEO of OnPoint Community Credit Union. I have written this before, but I am always more impressed when a corporate leader addresses information security (even if it is in a breach notification). After all, does the information security "buck" not stop at the leadership of an organization?
I would like to know who the auditor was/is.
Past Breaches:
Unknown
Posted by Evan Francen at 11/10/2008 11:50 AM 
Categories: OnPoint Community Credit Union, Stolen Laptop
Categories: OnPoint Community Credit Union, Stolen Laptop
Posts Atom 1.0
Comments