The Seventh-day Adventist Church reports a stolen laptop
Technorati Tag: Security Breach
Date Reported:
1/7/09
Organization:
Seventh-Day Adventist Church
Contractor/Consultant/Branch:
North American Division of Seventh-day Adventists Retirement Plans
Location:
Silver Spring, Maryland
Victims:
Employees
Number Affected:
Unknown*
*There are "approximately 292 residents" of New Hampshire affected according to the breach notification
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"On December 13, 2008, a laptop computer assigned to an employee of the North American Division of Seventh-day Adventists Retirement Plans was stolen. On this computer was personal information including names and social security numbers. "
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
The attached notification letter is scheduled to be sent by mail to affected individuals on January 9, 2009.
We are writing to inform you of a recent incident that could affect you.
Regrettably, we have discovered that personal information about you may have been exposed through the theft of a computer.
[Evan] Was the computer encrypted or protected by anything more than an operating system password? There is no mention of any controls meant to protect the information, so there is little information from which a person can judge risk. Information owners (the victims) should be given enough information to judge risk for themselves.
On December 13, 2008, a laptop computer assigned to an employee of the North American Division of Seventh-day Adventists Retirement Plans was stolen.
On this computer was personal information including names and social security numbers.
This matter has been reported to law enforcement and the investigation is ongoing.
While the laptop has been recovered, we cannot account for it during the four days it was not in our possession or control.
[Evan] Even though the laptop was recovered, I commend the Church's decision to notify people. I just wish they would have provided more information. The Church should be able to determine whether or not someone accessed the information on the laptop with some degree of certainty, given a thorough forensic analysis.
We assure you that we are committed to safeguarding your sensitive personal information.
We never want to see any compromise of such information, and have taken immediate steps to fortify the security measures that were already in place.
[Evan] What steps were taken to "fortify the security measures" and what security measures "were already in place"? This statement means little with nothing to quantify risk.
Commentary:
Seventh-day Adventists Church is providing the affected people with ID TheftSmart from Kroll Inc. for free, but it is not clear for how long.
Is the Seventh-day Adventist Church another organization that doesn't encrypt?
Past Breaches:
Unknown
Date Reported:1/7/09
Organization:
Seventh-Day Adventist Church
Contractor/Consultant/Branch:
North American Division of Seventh-day Adventists Retirement Plans
Location:
Silver Spring, Maryland
Victims:
Employees
Number Affected:
Unknown*
*There are "approximately 292 residents" of New Hampshire affected according to the breach notification
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
"On December 13, 2008, a laptop computer assigned to an employee of the North American Division of Seventh-day Adventists Retirement Plans was stolen. On this computer was personal information including names and social security numbers. "
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
The attached notification letter is scheduled to be sent by mail to affected individuals on January 9, 2009.
We are writing to inform you of a recent incident that could affect you.
Regrettably, we have discovered that personal information about you may have been exposed through the theft of a computer.
[Evan] Was the computer encrypted or protected by anything more than an operating system password? There is no mention of any controls meant to protect the information, so there is little information from which a person can judge risk. Information owners (the victims) should be given enough information to judge risk for themselves.
On December 13, 2008, a laptop computer assigned to an employee of the North American Division of Seventh-day Adventists Retirement Plans was stolen.
On this computer was personal information including names and social security numbers.
This matter has been reported to law enforcement and the investigation is ongoing.
While the laptop has been recovered, we cannot account for it during the four days it was not in our possession or control.
[Evan] Even though the laptop was recovered, I commend the Church's decision to notify people. I just wish they would have provided more information. The Church should be able to determine whether or not someone accessed the information on the laptop with some degree of certainty, given a thorough forensic analysis.
We assure you that we are committed to safeguarding your sensitive personal information.
We never want to see any compromise of such information, and have taken immediate steps to fortify the security measures that were already in place.
[Evan] What steps were taken to "fortify the security measures" and what security measures "were already in place"? This statement means little with nothing to quantify risk.
Commentary:
Seventh-day Adventists Church is providing the affected people with ID TheftSmart from Kroll Inc. for free, but it is not clear for how long.
Is the Seventh-day Adventist Church another organization that doesn't encrypt?
Past Breaches:
Unknown
Posted by Evan Francen at 1/15/2009 12:36 PM 
Categories: Seventh-day Adventist Church, Stolen Laptop
Categories: Seventh-day Adventist Church, Stolen Laptop
Posts Atom 1.0
Comments