Laptop stolen from the City of Madison is recovered
Technorati Tag: Security Breach
Date Reported:
1/26/09
Organization:
City of Madison (WI)
Contractor/Consultant/Branch:
Human Resources
Location:
Madison, Wisconsin
Victims:
Employees
Number Affected:
"300 to 500"
Types of Data:
"names, photos, and Social Security numbers"
Breach Description:
"An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday."
Reference URL:
Wisconsin State Journal
The Badger Herald
Report Credit:
Dean Mosiman, Wisconsin State Journal
Response:
From the online sources cited above:
An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday.
[Evan] How many times have we seen this? We will assume that the laptop was not encrypted.
The laptop was found somewhere on South Hamiliton Street and turned over to police this morning, but it's unclear if sensitive information was stolen over the weekend.
The laptop was taken from a "relatively secure location" in the Human Resources offices of the City-County Building, Human Resources Director Brad Wirtz said.
[Evan] What is a "relatively secure location"? Relative to what?
The room is in an area marked off as being for authorized personnel only and behind a set of doors, he said.
The room, however, does see a lot of foot traffic, because it is used for job applicant testing, employee orientation sessions and for taking photo IDs
[Evan] This wouldn't even qualify as a slightly secure location in any of my assessments.
"There's not much more that I can do than apologize," Wirtz said. "We're hoping nothing will happen to any of these employees."
From 2004 through 2007, the city recorded employees' names, photos and Social Security numbers on the laptop for use when employees lost their identification cards and needed replacements
Shortly after he became the director of personnel in September 2007, Wirtz himself got a new ID card and recognized the security threat.
[Evan] Mr. Wirtz recognized the security threat, but chose to only address half of the problem.
He said he stopped what he believed was a "bad practice" of recording sensitive information on a portable computer in a room accessible by so many people.
The city began to use email addresses to identify employees, but the information recorded on the laptop from 2004 to 2007 was never deleted, he said, adding that it was thought the sensitive information would be removed over time as employees renewed IDs under the new system.
[Evan] If this were your information, would this be acceptable? Changing data collection procedures was a good call, but choosing to do nothing about the data already collected was ignorant.
"We just didn't think the computer was going to be stolen," he said. "We thought it would be eventually phased out."
[Evan] Most people who lose laptops or have them stolen say this. The fact of the matter is that laptops are stolen every single day. What makes your laptop so special to think that it's immune?
Any official or employee — except those in the police, fire and transit departments — who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk of identity theft, Wirtz said.
The information is password protected but that may not provide enough protection to prevent identity theft, he said.
The laptop was found on South Hamilton Street and turned into police, Wirtz said. The city is now checking to see if the information was accessed, he said.
[Evan] It is almost impossible to be 100% sure that data wasn't accessed.
The Madison Police Department announced Monday that no sensitive information was accessed
[Evan] I don't like this statement much. I can accept something like "based upon our detailed forensic analysis and years of investigation experience, we have been unable to detect any unauthorized access to the data". I know words are only words, but one statement is much different than the other.
The results of forensic tests performed on the recovered laptop showed multiple unsuccessful attempts were made to log into the computer
[Evan] The thief is an idiot.
“We had the computer analyzed by police computer forensic staff, and it was determined that the information had not be accessed,” said Human Resources Director Brad Wirtz.
In letters to employees this morning, Wirtz apologized for the incident and said the department is working with Information Technology and the police to protect private information.
Rachel Strauch-Nelson, spokesperson for Mayor Dave Cieslewicz, said, "We're obviously concerned. We're going to work with IT and HR to make sure all necessary precautions are taken.
[Evan] Let's hope that the city undertakes a detailed information security (and risk) assessment. This is the only way you can "make sure all necessary precautions are taken."
Ald. Thuy Pham-Remmele, 20th District, fired a scathing e-mail to Wirtz on Monday morning, saying the initial apology is insufficient and calling the incident "an unacceptable breach of all basic rules of internal control."
Pham-Remmele also pressed to know if there are other laptops that contain sensitive personal information.
Ald. Michael Schumacher, 18th District, in an e-mail to Wirtz, said there is no reason sensitive human resources data should be stored on laptops given known vulnerabilities.
Schumacher asked if Wirtz intends an inventory of laptops, data they contain and data storage related to personal information, a review of security protocols and checking other security measures.
[Evan] Sound like an assessment is in order.
The incident was an isolated situation, Wirtz said.
[Evan] Even isolated incidents have causes, and sometimes the causes aren't so isolated. What caused this isolated incident was one or more poor information security practices.
The incident doesn't represent a threat for other sensitive information, Wirtz said, noting that the stolen laptop was not a network computer. The rest of the city's sensitive information is encrypted and on the mainframe, he said The information will be deleted from the computer after it is analyzed, he said.
City staff members have since been urged to check the encryption of departmental computers and to ensure that their personal computers are protected.
“One thing that has been done today is our IT staff is doing full review of encryption software on all of the laptops that are used for the city,” said Rachel Strauch-Nelson, spokesperson for Mayor Cieslewicz. “This means if you’re not on network, you can’t access information.”
“At this point, we can say with certainty that none of your personal information was compromised as a result of the theft,” he said in the apology. “Again, I want you all to know how sorry I am that this occurred, I accept full responsibility and I will do everything in my power to make sure that this does not happen again.”
Commentary:
Although it appears likely that the confidentiality of the information on the laptop was not compromised, there is serious cause for concern.
Past Breaches:
Unknown
Date Reported:1/26/09
Organization:
City of Madison (WI)
Contractor/Consultant/Branch:
Human Resources
Location:
Madison, Wisconsin
Victims:
Employees
Number Affected:
"300 to 500"
Types of Data:
"names, photos, and Social Security numbers"
Breach Description:
"An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday."
Reference URL:
Wisconsin State Journal
The Badger Herald
Report Credit:
Dean Mosiman, Wisconsin State Journal
Response:
From the online sources cited above:
An oversight by the city of Madison's personnel office is the reason Social Security numbers of 300 to 500 city employees were stored on a laptop computer stolen from a city office Friday.
[Evan] How many times have we seen this? We will assume that the laptop was not encrypted.
The laptop was found somewhere on South Hamiliton Street and turned over to police this morning, but it's unclear if sensitive information was stolen over the weekend.
The laptop was taken from a "relatively secure location" in the Human Resources offices of the City-County Building, Human Resources Director Brad Wirtz said.
[Evan] What is a "relatively secure location"? Relative to what?
The room is in an area marked off as being for authorized personnel only and behind a set of doors, he said.
The room, however, does see a lot of foot traffic, because it is used for job applicant testing, employee orientation sessions and for taking photo IDs
[Evan] This wouldn't even qualify as a slightly secure location in any of my assessments.
"There's not much more that I can do than apologize," Wirtz said. "We're hoping nothing will happen to any of these employees."
From 2004 through 2007, the city recorded employees' names, photos and Social Security numbers on the laptop for use when employees lost their identification cards and needed replacements
Shortly after he became the director of personnel in September 2007, Wirtz himself got a new ID card and recognized the security threat.
[Evan] Mr. Wirtz recognized the security threat, but chose to only address half of the problem.
He said he stopped what he believed was a "bad practice" of recording sensitive information on a portable computer in a room accessible by so many people.
The city began to use email addresses to identify employees, but the information recorded on the laptop from 2004 to 2007 was never deleted, he said, adding that it was thought the sensitive information would be removed over time as employees renewed IDs under the new system.
[Evan] If this were your information, would this be acceptable? Changing data collection procedures was a good call, but choosing to do nothing about the data already collected was ignorant.
"We just didn't think the computer was going to be stolen," he said. "We thought it would be eventually phased out."
[Evan] Most people who lose laptops or have them stolen say this. The fact of the matter is that laptops are stolen every single day. What makes your laptop so special to think that it's immune?
Any official or employee — except those in the police, fire and transit departments — who was issued a new or replacement city identification card from the start of 2004 through 2007 may be at risk of identity theft, Wirtz said.
The information is password protected but that may not provide enough protection to prevent identity theft, he said.
The laptop was found on South Hamilton Street and turned into police, Wirtz said. The city is now checking to see if the information was accessed, he said.
[Evan] It is almost impossible to be 100% sure that data wasn't accessed.
The Madison Police Department announced Monday that no sensitive information was accessed
[Evan] I don't like this statement much. I can accept something like "based upon our detailed forensic analysis and years of investigation experience, we have been unable to detect any unauthorized access to the data". I know words are only words, but one statement is much different than the other.
The results of forensic tests performed on the recovered laptop showed multiple unsuccessful attempts were made to log into the computer
[Evan] The thief is an idiot.
“We had the computer analyzed by police computer forensic staff, and it was determined that the information had not be accessed,” said Human Resources Director Brad Wirtz.
In letters to employees this morning, Wirtz apologized for the incident and said the department is working with Information Technology and the police to protect private information.
Rachel Strauch-Nelson, spokesperson for Mayor Dave Cieslewicz, said, "We're obviously concerned. We're going to work with IT and HR to make sure all necessary precautions are taken.
[Evan] Let's hope that the city undertakes a detailed information security (and risk) assessment. This is the only way you can "make sure all necessary precautions are taken."
Ald. Thuy Pham-Remmele, 20th District, fired a scathing e-mail to Wirtz on Monday morning, saying the initial apology is insufficient and calling the incident "an unacceptable breach of all basic rules of internal control."
Pham-Remmele also pressed to know if there are other laptops that contain sensitive personal information.
Ald. Michael Schumacher, 18th District, in an e-mail to Wirtz, said there is no reason sensitive human resources data should be stored on laptops given known vulnerabilities.
Schumacher asked if Wirtz intends an inventory of laptops, data they contain and data storage related to personal information, a review of security protocols and checking other security measures.
[Evan] Sound like an assessment is in order.
The incident was an isolated situation, Wirtz said.
[Evan] Even isolated incidents have causes, and sometimes the causes aren't so isolated. What caused this isolated incident was one or more poor information security practices.
The incident doesn't represent a threat for other sensitive information, Wirtz said, noting that the stolen laptop was not a network computer. The rest of the city's sensitive information is encrypted and on the mainframe, he said The information will be deleted from the computer after it is analyzed, he said.
City staff members have since been urged to check the encryption of departmental computers and to ensure that their personal computers are protected.
“One thing that has been done today is our IT staff is doing full review of encryption software on all of the laptops that are used for the city,” said Rachel Strauch-Nelson, spokesperson for Mayor Cieslewicz. “This means if you’re not on network, you can’t access information.”
“At this point, we can say with certainty that none of your personal information was compromised as a result of the theft,” he said in the apology. “Again, I want you all to know how sorry I am that this occurred, I accept full responsibility and I will do everything in my power to make sure that this does not happen again.”
Commentary:
Although it appears likely that the confidentiality of the information on the laptop was not compromised, there is serious cause for concern.
Past Breaches:
Unknown
Posts Atom 1.0
Comments