Maryland Department of the Environment employee data on stolen laptop
Technorati Tag: Security Breach
Date Reported:
11/21/08
Organization:
State of Maryland
Contractor/Consultant/Branch:
Maryland Department of Information Technology
Maryland Department of the Environment
Location:
Baltimore, Maryland
Victims:
Current and former Department of the Environment employees
Number Affected:
1,367
Types of Data:
"names and Social Security numbers"
Breach Description:
"Police are investigating the theft of two laptop computers containing the names and Social Security numbers of more than 1,300 people formerly employed by the Maryland Department of the Environment."
Reference URL:
MDE Security Alert
Department of Information Technology Press Release (pdf)
The Baltimore Sun
Report Credit:
Maryland Department of Information Technology
Response:
From the online sources cited above:
The Department of Information Technology (DoIT) learned that two laptop computers were stolen from secured offices at on November 12, 2008.
[Evan] How secured is "secured"?
Department of General Services Police were immediately engaged and their investigation is continuing at this time.
One of the computers contained a data file with the names and Social Security numbers of 1,367 employees who were assigned to the Maryland Department of the Environment from January 2000 through October 2006.
The computers are equipped with a commercial security utility that is activated as soon as the devices are connected to the Internet.
This security utility initiates a data deletion on the stolen computer using a Department of Defense approved algorithm and also assists police in tracking and recovering the missing equipment.
[Evan] This is a good thing, but I have to wonder why no encryption? The DoIT staff went through the trouble of installing this utility, but didn't take into account the unauthorized access to sensitive information should the laptop NOT be connected to the Internet.
DoIT had been using this computer for testing enhancements to the Leave Accounting System (LAS) with the MDE data.
[Evan] Ouch! Production sensitive information should NEVER be used in any kind of test environment. Sanitized test data only.
The Social Security numbers were used to identify and track attendance and leave balances of Maryland Department of the Environment employees.
The Social Security numbers are commonly used by the State to access historical information regarding employees.
[Evan] Universities across the country are moving (or have moved) away from this practice by assigning unique student IDs. Couldn't the state (and other employers) use unique employee IDs?
DoIT apologizes for this regrettable incident.
We are following the continuing investigation of this theft, while hardening our policies, processes and infrastructure to best ensure this type of event will not reoccur.
The Department of Information Technology has created a special website for individuals who are concerned that their information may have been on the stolen computer: doit.maryland.gov/mdealert.
The Department of Information Technology has also set up a phone number and e-mail address to assist users in obtaining answers to specific questions not addressed on the website: and .
Commentary:
Whenever we read about a breach, we learn a little about what organizations do (or don't do) to protect sensitive information. We can take what we learn, examine what we do ourselves, and hopefully improve our information security management practices.
Past Breaches:
State of Maryland:
August, 2008 - Maryland courts web site displays Social Security numbers (still)
January, 2008 - Maryland Department of Assessments & Taxation web exposure
August, 2007 - Maryland Department of the Environment, Stolen Laptop, Unknown Number of Victims
Maryland Department of the Environment:
August, 2007 -
Maryland Department of the Environment, Stolen Laptop, Unknown Number of Victims
Date Reported:11/21/08
Organization:
State of Maryland
Contractor/Consultant/Branch:
Maryland Department of Information Technology
Maryland Department of the Environment
Location:
Baltimore, Maryland
Victims:
Current and former Department of the Environment employees
Number Affected:
1,367
Types of Data:
"names and Social Security numbers"
Breach Description:
"Police are investigating the theft of two laptop computers containing the names and Social Security numbers of more than 1,300 people formerly employed by the Maryland Department of the Environment."
Reference URL:
MDE Security Alert
Department of Information Technology Press Release (pdf)
The Baltimore Sun
Report Credit:
Maryland Department of Information Technology
Response:
From the online sources cited above:
The Department of Information Technology (DoIT) learned that two laptop computers were stolen from secured offices at on November 12, 2008.
[Evan] How secured is "secured"?
Department of General Services Police were immediately engaged and their investigation is continuing at this time.
One of the computers contained a data file with the names and Social Security numbers of 1,367 employees who were assigned to the Maryland Department of the Environment from January 2000 through October 2006.
The computers are equipped with a commercial security utility that is activated as soon as the devices are connected to the Internet.
This security utility initiates a data deletion on the stolen computer using a Department of Defense approved algorithm and also assists police in tracking and recovering the missing equipment.
[Evan] This is a good thing, but I have to wonder why no encryption? The DoIT staff went through the trouble of installing this utility, but didn't take into account the unauthorized access to sensitive information should the laptop NOT be connected to the Internet.
DoIT had been using this computer for testing enhancements to the Leave Accounting System (LAS) with the MDE data.
[Evan] Ouch! Production sensitive information should NEVER be used in any kind of test environment. Sanitized test data only.
The Social Security numbers were used to identify and track attendance and leave balances of Maryland Department of the Environment employees.
The Social Security numbers are commonly used by the State to access historical information regarding employees.
[Evan] Universities across the country are moving (or have moved) away from this practice by assigning unique student IDs. Couldn't the state (and other employers) use unique employee IDs?
DoIT apologizes for this regrettable incident.
We are following the continuing investigation of this theft, while hardening our policies, processes and infrastructure to best ensure this type of event will not reoccur.
The Department of Information Technology has created a special website for individuals who are concerned that their information may have been on the stolen computer: doit.maryland.gov/mdealert.
The Department of Information Technology has also set up a phone number and e-mail address to assist users in obtaining answers to specific questions not addressed on the website: and .
Commentary:
Whenever we read about a breach, we learn a little about what organizations do (or don't do) to protect sensitive information. We can take what we learn, examine what we do ourselves, and hopefully improve our information security management practices.
Past Breaches:
State of Maryland:
August, 2008 - Maryland courts web site displays Social Security numbers (still)
January, 2008 - Maryland Department of Assessments & Taxation web exposure
August, 2007 - Maryland Department of the Environment, Stolen Laptop, Unknown Number of Victims
Maryland Department of the Environment:
August, 2007 -
Posts Atom 1.0
Comments