Laptop stolen from Educational Testing Service office
Technorati Tag: Security Breach
Date Reported:
1/29/09
Organization:
Educational Testing Service ("ETS")
Contractor/Consultant/Branch:
None
Location:
Unknown
Victims:
Readers
Number Affected:
Unknown
Types of Data:
Personal information, including names and Social Security numbers
Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS). The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."
Reference URL:
Maryland Attorney General breach notification
Report Credit:
The Maryland Attorney General
Response:
From the online source cited above:
This letter is to notify you of a potential compromise of your personal information, including your name and social security number.
We collected this information from you as part of our record keeping relating to your role as a reader for ETS.
[Evan] I can understand the potential need to collect Social Security numbers; maybe for tax purposes, but I don't understand the practice of storing this information on a laptop computer (even if it's kept in the office).
Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS).
The laptop had been locked into its docking station.
[Evan] Was the docking station stolen too?
On December 16, the fact that the laptop was missing was reported to ETS IT Security and ETS physical security.
IT Security examined the hard drive backup for the laptop and discovered that some personally identifiable Information (PII) about you was present on the hard drive of the missing laptop, including your name and social security number.
[Evan] I am surprised to read that there was a "hard drive backup" of a user's laptop. This just isn't feasible in many organizations. I wonder if ETS is referring to folder synchronization as a "hard drive backup".
We have contacted local law enforcement authorities regarding this incident.
We have no reason to believe that the laptop was taken because of the PII on its hard drive.
As there is a potential that it could be accessed, we recommend that you take precautionary measures
[Evan] Sometimes it doesn't matter what "precautionary measures" you take when the organizations who store your personal information do so insecurely.
ETS is making efforts to recover the missing hardware.
ETS is taking steps to prevent a recurrence of this incident.
First, ETS has enhanced its physical security measures at all offices.
Second, ETS has begun deploying comprehensive military-grade encryption to all of its laptops; this project is scheduled for completion in the second quarter of 2009.
[Evan] Amen to this. It often takes an incident before changes are made. Obviously, it's too bad that this decision wasn't made before this incident.
In addition, all ETS computers, including laptops, can be accessed only via enforced strong passwords which must be changed regularly.
[Evan] If we increase the strength of passwords AND enforce regular changes, there is an increase in the number of incidents where people write passwords down. Nobody likes passwords. Users don't like them because they can be a pain in the rear and information security personnel don't like them because they can be a very weak form of authentication. A conundrum.
We apologize for any inconvenience and concern that this situation may cause.
Should you have any questions regarding this notice, including questions regarding your particular record, please do not hesitate to contact a PASS representative, by phone at 1-, or by mail at Educational Testing Service, PASS, 225 Phillips Boulevard, Ewing, NJ 08628.
ETS is offering one year of credit monitoring to the affected people.
Commentary:
Laptops aren't just stolen from cars.
Past Breaches:
Unknown
Date Reported:1/29/09
Organization:
Educational Testing Service ("ETS")
Contractor/Consultant/Branch:
None
Location:
Unknown
Victims:
Readers
Number Affected:
Unknown
Types of Data:
Personal information, including names and Social Security numbers
Breach Description:
"Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS). The laptop contained sensitive information belonging to people serving in the "role as a reader for ETS."
Reference URL:
Maryland Attorney General breach notification
Report Credit:
The Maryland Attorney General
Response:
From the online source cited above:
This letter is to notify you of a potential compromise of your personal information, including your name and social security number.
We collected this information from you as part of our record keeping relating to your role as a reader for ETS.
[Evan] I can understand the potential need to collect Social Security numbers; maybe for tax purposes, but I don't understand the practice of storing this information on a laptop computer (even if it's kept in the office).
Overnight on December 15, 2008, a laptop went missing from the desk of an employee at the offices of Educational Testing Service (ETS).
The laptop had been locked into its docking station.
[Evan] Was the docking station stolen too?
On December 16, the fact that the laptop was missing was reported to ETS IT Security and ETS physical security.
IT Security examined the hard drive backup for the laptop and discovered that some personally identifiable Information (PII) about you was present on the hard drive of the missing laptop, including your name and social security number.
[Evan] I am surprised to read that there was a "hard drive backup" of a user's laptop. This just isn't feasible in many organizations. I wonder if ETS is referring to folder synchronization as a "hard drive backup".
We have contacted local law enforcement authorities regarding this incident.
We have no reason to believe that the laptop was taken because of the PII on its hard drive.
As there is a potential that it could be accessed, we recommend that you take precautionary measures
[Evan] Sometimes it doesn't matter what "precautionary measures" you take when the organizations who store your personal information do so insecurely.
ETS is making efforts to recover the missing hardware.
ETS is taking steps to prevent a recurrence of this incident.
First, ETS has enhanced its physical security measures at all offices.
Second, ETS has begun deploying comprehensive military-grade encryption to all of its laptops; this project is scheduled for completion in the second quarter of 2009.
[Evan] Amen to this. It often takes an incident before changes are made. Obviously, it's too bad that this decision wasn't made before this incident.
In addition, all ETS computers, including laptops, can be accessed only via enforced strong passwords which must be changed regularly.
[Evan] If we increase the strength of passwords AND enforce regular changes, there is an increase in the number of incidents where people write passwords down. Nobody likes passwords. Users don't like them because they can be a pain in the rear and information security personnel don't like them because they can be a very weak form of authentication. A conundrum.
We apologize for any inconvenience and concern that this situation may cause.
Should you have any questions regarding this notice, including questions regarding your particular record, please do not hesitate to contact a PASS representative, by phone at 1-, or by mail at Educational Testing Service, PASS, 225 Phillips Boulevard, Ewing, NJ 08628.
ETS is offering one year of credit monitoring to the affected people.
Commentary:
Laptops aren't just stolen from cars.
Past Breaches:
Unknown
Posts Atom 1.0
A great example of why there should be as LITTLE personal or sensitive information as possible made accessible to a password protected account, especially on laptops or on the Web.
Measures such as stronger passwords with a requirement to change them more often usually reach a point where "sticky notes" are used (as Evan points out) or where threats from a different dimension come into play, such as social engineering or keyloggers, etc.
Thus, our mantra continues: use a balanced approach with multiple layers of safeguards.
Cheers
Scott
Reply to this