Garfield County (CO) sends notifications of a lost disk
Technorati Tag: Security Breach
Date Reported:
11/07/08
Organization:
Garfield County (CO)
Contractor/Consultant/Branch:
Department of Human Services
Location:
Glenwood Springs, Colorado
Victims:
Social services program applicants
Number Affected:
"Approximately 270"*
*"About 7,000 letters have been mailed out" with notification of the incident, so the number affected could be disputed.
Types of Data:
Name, program code, and some Social Security numbers
Breach Description:
"GLENWOOD SPRINGS, Colorado — A Garfield County Department of Human Services employee took a data disk containing the Social Security numbers of almost 300 people home last month and later lost it."
Reference URL:
Glenwood Springs Post Independent
Report Credit:
Glenwood Springs Post Independent
Response:
From the online source cited above:
GLENWOOD SPRINGS, Colorado — A Garfield County Department of Human Services employee took a data disk containing the Social Security numbers of almost 300 people home last month and later lost it.
[Evan] These things happen all of the time. What will it take for people to "get it"?
A statement from Lynn Renick, the county’s human services director, said the disk contained a spreadsheet providing “a tracking system for social services program applications” and that it also contained limited personal information.
Neither the disk or its files were identified as Human Services information.
“The information on the disk listed the name of the adult in the household and a program code,” the statement said.
“Approximately 270 entries also listed a Social Security number.”
they say it would be hard to match the numbers to any names
[Evan] Really? How hard? As hard as following across the row in the spreadsheet?
the 267 Social Security numbers were raw data and would be hard to locate on the disk, much less tie to a name.
[Evan] What, was the information stored in binary or something? Probably not. A nine digit number is a nine digit number and a lot of people can figure out that a Social Security number is a nine digit number.
The statement said a search to find the disk was not successful.
there's "very little risk, if any" of the data being accessible
[Evan] And how do we come to this determination? I presume that the "very little risk" is based upon largely subjective references. The "if any" part of the statement is nonsense. If the data was not encrypted, what would it take to access it? There is no mention of any other access control.
“It is believed that the data disk has been thrown away or shredded,” the statement said.
[Evan] But I thought we just read that the employee took the disk home then lost it. I doubt that the employee has a disk shredder at home.
“From the results of the investigation, it has been concluded that there is a very low risk that the information on the disk has been or will be able to be accessed.”
[Evan] It would be interesting to read the "results of the investigation" and the risk assessment process that allowed the county to draw this conclusion.
Renick said the Human Services department is contacting all individuals with any information copied on the disk.
About 7,000 letters have been mailed out notifying those who may have information on that disk.
Renick says an employee lost the disk after taking it home. She says she can't discuss any disciplinary action because it's a personnel issue.
[Evan] Judging from the few details we have read about this breach, it seems as though the employee's actions were acceptable to the county. Why discipline an employee who followed behavior that was acceptable to the employer?
Commentary:
I drew a lot of conclusions from the article, but I don't think that I'm that far off. Obviously more details could support or discredit the assumptions that I made.
Past Breaches:
Unknown
Date Reported:11/07/08
Organization:
Garfield County (CO)
Contractor/Consultant/Branch:
Department of Human Services
Location:
Glenwood Springs, Colorado
Victims:
Social services program applicants
Number Affected:
"Approximately 270"*
*"About 7,000 letters have been mailed out" with notification of the incident, so the number affected could be disputed.
Types of Data:
Name, program code, and some Social Security numbers
Breach Description:
"GLENWOOD SPRINGS, Colorado — A Garfield County Department of Human Services employee took a data disk containing the Social Security numbers of almost 300 people home last month and later lost it."
Reference URL:
Glenwood Springs Post Independent
Report Credit:
Glenwood Springs Post Independent
Response:
From the online source cited above:
GLENWOOD SPRINGS, Colorado — A Garfield County Department of Human Services employee took a data disk containing the Social Security numbers of almost 300 people home last month and later lost it.
[Evan] These things happen all of the time. What will it take for people to "get it"?
A statement from Lynn Renick, the county’s human services director, said the disk contained a spreadsheet providing “a tracking system for social services program applications” and that it also contained limited personal information.
Neither the disk or its files were identified as Human Services information.
“The information on the disk listed the name of the adult in the household and a program code,” the statement said.
“Approximately 270 entries also listed a Social Security number.”
they say it would be hard to match the numbers to any names
[Evan] Really? How hard? As hard as following across the row in the spreadsheet?
the 267 Social Security numbers were raw data and would be hard to locate on the disk, much less tie to a name.
[Evan] What, was the information stored in binary or something? Probably not. A nine digit number is a nine digit number and a lot of people can figure out that a Social Security number is a nine digit number.
The statement said a search to find the disk was not successful.
there's "very little risk, if any" of the data being accessible
[Evan] And how do we come to this determination? I presume that the "very little risk" is based upon largely subjective references. The "if any" part of the statement is nonsense. If the data was not encrypted, what would it take to access it? There is no mention of any other access control.
“It is believed that the data disk has been thrown away or shredded,” the statement said.
[Evan] But I thought we just read that the employee took the disk home then lost it. I doubt that the employee has a disk shredder at home.
“From the results of the investigation, it has been concluded that there is a very low risk that the information on the disk has been or will be able to be accessed.”
[Evan] It would be interesting to read the "results of the investigation" and the risk assessment process that allowed the county to draw this conclusion.
Renick said the Human Services department is contacting all individuals with any information copied on the disk.
About 7,000 letters have been mailed out notifying those who may have information on that disk.
Renick says an employee lost the disk after taking it home. She says she can't discuss any disciplinary action because it's a personnel issue.
[Evan] Judging from the few details we have read about this breach, it seems as though the employee's actions were acceptable to the county. Why discipline an employee who followed behavior that was acceptable to the employer?
Commentary:
I drew a lot of conclusions from the article, but I don't think that I'm that far off. Obviously more details could support or discredit the assumptions that I made.
Past Breaches:
Unknown
Posts Atom 1.0
Comments