139,000 Mass. investment advisers alerted to employee "mistake"
|
Date Reported:
7/6/10
Organization:
State of Massachusetts ("Commonwealth of Massachusetts")
Contractor/Consultant/Branch:
Secretary of the Commonwealth of Massachusetts
Massachusetts Securities Division
Location:
Victims:
"state-registered investment advisers"
Number Affected:
139,000
Types of Data:
Names, addresses, Social Security numbers, dates and locations of birth, height, weight, hair color, and eye color
Breach Description:
"The Massachusetts secretary of state’s office, which is charged with enforcing financial rules for investment companies, accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state."
Reference URL:
Securities Division breach information page
The Boston Globe
The Wall Street Journal
CRN.com
Report Credit:
Todd Wallack, The Boston Globe
Response:
From the online sources cited above:
The Massachusetts secretary of state’s office, which is charged with enforcing financial rules for investment companies, accidentally released confidential personal information earlier this year on 139,000 investment advisers registered with the state.
[Evan] Most information security related "accidents" happen because of poor information security training (and awareness) practices.
The data, including the advisers’ Social Security numbers, were on a CD-ROM sent to IA Week, an investment industry publication that had requested public information from the Securities Division, which Secretary of State William F. Galvin oversees.
[Evan] IA Week is the name of the publication, but the name of the organization is Investment Advisor Watch ("IA Watch"). The organizations site is here.
IA Week had asked for a list of registered investment companies.
The Securities Division responded by sending a list of individual investment professionals.
[Evan] IA Watch asked for a list of companies and received a list of individuals. That's a big mistake.
In addition to their names and Social Security numbers, this list included their dates and locations of birth, height, weight, hair color, and eye color.
“It’s a pretty big mistake,’’ said Carl Ayers, IA Week’s publisher. “It’s pretty shocking, because it’s such a large number of people.’’
IA returned the database to the Securities Division in June and wrote about the episode last week.
Brian McNiff, a spokesman for Galvin, said a new employee erred by not deleting the Social Security numbers and other information that is normally withheld.
[Evan] This is hardly an excuse. All new employees (and especially those with access to sensitive information) must be given adequate information security training prior to assuming any functional role. In addition, all employees should receive annual re-training (or certification). If a new employee had received proper information security training, you would think that they would be less prone to making a error due to the fact that training should be fresh in his/her mind. What do you think the chances are that the Securities Division has inadequate or missing information security training for new employees?
McNiff said IA Week returned the CD-ROM with a letter stating it had not made any copies of the data, so the state has no reason to think anyone was harmed.
“It’s an unfortunate mistake,’’ McNiff said. “It obviously was not done according to [standard] practice.’’
[Evan] The fear is that this breach may only be a symptom of the organization's standard practice(s).
Under Massachusetts law, organizations are required to notify the individuals affected, the state attorney general, and the director of consumer affairs whenever a security breach occurs that exposes the personal information of Massachusetts residents.
McNiff said the Securities Division is trying to determine whether it needs to notify anyone, since it has recovered the data and does not believe it was ever misused.
[Evan] Simple. Regardless of the law. What is the right thing to do, and what would the owners of the information expect?
The episode is a fresh reminder that data breaches — whether involving theft or mistakes — are becoming more common as companies compile greater amounts of electronic data.
As of last fall, Massachusetts regulators had received reports from companies of more than 800 data breaches that potentially affected more than 1 million residents of the state.
Commentary:
I have said it many times; people pose the most significant risk to information security (i.e. unauthorized disclosure, modification, and/or destruction). Every company or organization that creates, processes, stores, transmits or uses sensitive information in any manner or form, must adequately train their employees in the prevention, detection, and correction of information security incidents. This is critical to the success of an information security program.
According to the Division announcement , the information involved in the breach was obtained from Division's "Central Registration Depository (CRD)". Do you think that this may be TMI? Debatable, I guess.
Past Breaches:
State of Massachusetts:
More than one
Posts Atom 1.0
Comments