Sensitive client information missing from small North Carolina non-profit
Technorati Tag: Security Breach
Date Reported:
1/13/09
Organization:
Blue Ridge Community Action ("BRCA")
Contractor/Consultant/Branch:
None
Location:
Morganton, North Carolina
Victims:
Clients
Number Affected:
"Approximately 300"
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"MORGANTON - Approximately 300 people's Social Security numbers are on an external computer hard drive missing from Blue Ridge Community Action, 800 N. Green St."
Reference URL:
The News Herald
Report Credit:
Julie N. Chang, The News Herald
Response:
From the online source cited above:
MORGANTON - Approximately 300 people's Social Security numbers are on an external computer hard drive missing from Blue Ridge Community Action, 800 N. Green St.
[Evan] Blue Ridge Community Action is a small non-profit organization with a noble mission of "Helping People to Help Themselves in Partnership With the Community" and good intentions. Unfortunately information security is too often an after thought.
BRCA Executive Director Mattie Patterson said the hard drive contains information on clients from four counties who have used the organization's services in the past four or five years.
The external hard drive was used to back up information on clients.
[Evan] Obviously, backing up data is a good thing, but not at the expense of an increased risk of unauthorized data disclosure. I am assuming that the external hard drive was not encrypted.
Patterson said it is unclear whether the hard drive is simply lost or if it was stolen.
According to the report filed with the Morganton Department of Public Safety, an employee discovered the hard drive was missing on Dec. 31.
The employee tried to locate the hard drive at several locations she had visited in the past few days.
Patterson said the organization is in the process of drafting a letter to the affected clients who should receive the notice within the next five days.
BRCA provides services to children and adults.
Its programs include child development, nutritional assistance, housing, community service and adult day care and health services.
Commentary:
In my opinion, it is just as (and likely more) important for small organizations to protect sensitive information as it is for large organizations. One reason being the ability to absorb losses associated with a breach. Larger organizations seem to have better success in absorbing losses associated with breaches whereas smaller organizations may lose a significant portion of their customer base. If margins are small, even a small loss can be catastrophic. The key is to be proactive and think of information security as an integrated business issue.
We (information security professionals) need to reach out to small organizations more.
Past Breaches:
Unknown
Date Reported:1/13/09
Organization:
Blue Ridge Community Action ("BRCA")
Contractor/Consultant/Branch:
None
Location:
Morganton, North Carolina
Victims:
Clients
Number Affected:
"Approximately 300"
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"MORGANTON - Approximately 300 people's Social Security numbers are on an external computer hard drive missing from Blue Ridge Community Action, 800 N. Green St."
Reference URL:
The News Herald
Report Credit:
Julie N. Chang, The News Herald
Response:
From the online source cited above:
MORGANTON - Approximately 300 people's Social Security numbers are on an external computer hard drive missing from Blue Ridge Community Action, 800 N. Green St.
[Evan] Blue Ridge Community Action is a small non-profit organization with a noble mission of "Helping People to Help Themselves in Partnership With the Community" and good intentions. Unfortunately information security is too often an after thought.
BRCA Executive Director Mattie Patterson said the hard drive contains information on clients from four counties who have used the organization's services in the past four or five years.
The external hard drive was used to back up information on clients.
[Evan] Obviously, backing up data is a good thing, but not at the expense of an increased risk of unauthorized data disclosure. I am assuming that the external hard drive was not encrypted.
Patterson said it is unclear whether the hard drive is simply lost or if it was stolen.
According to the report filed with the Morganton Department of Public Safety, an employee discovered the hard drive was missing on Dec. 31.
The employee tried to locate the hard drive at several locations she had visited in the past few days.
Patterson said the organization is in the process of drafting a letter to the affected clients who should receive the notice within the next five days.
BRCA provides services to children and adults.
Its programs include child development, nutritional assistance, housing, community service and adult day care and health services.
Commentary:
In my opinion, it is just as (and likely more) important for small organizations to protect sensitive information as it is for large organizations. One reason being the ability to absorb losses associated with a breach. Larger organizations seem to have better success in absorbing losses associated with breaches whereas smaller organizations may lose a significant portion of their customer base. If margins are small, even a small loss can be catastrophic. The key is to be proactive and think of information security as an integrated business issue.
Past Breaches:
Unknown
Posts Atom 1.0
Comments