Donald’s Information Security

SACRAMENTO, CA – Hundreds of current and former employees with Sutter Health will soon get a letter telling them their personal data has been compromised.

Officials for the company’s Sacramento Sierra region recently recieved a big surprise when they were contacted by a computer repair shop.

“The repair people did the right thing and told us they had our laptop,” said Sutter Communication Coordinator Kami Lloyd. The laptop contained names and social security numbers of 6,000 Sutter Health workers.

A letter sent to workers said Sutter believed an employee had possession of a company laptop since 2007 but late last month it showed up at a computer repair business. When technicians realized where the computer came from, they returned the hard drive to Sutter.

The letter pointed out a forensic analysis that revealed the computer repair business did open a file that containted workers’ Social Security information. Although the repair shop wrote a certified letter stating it didn’t retain any information on the hard drive, Sutter advised employees to contact credit reporting companies and put fraud alerts on their credit files.

The letter went on to say workers should contact police if they notice suspicious activity on their credit reports.

Sutter has also told employees that a company called Kroll Inc. will “provide you with access to its ID TheftSmart service at no cost to you for one years.”

The letter stated Sutter has taken steps to safeguard employees information in the future by encrypting all data on company laptops and only an authorized password can retrieve that info.

Employees were also told to save files and documents to network drives and not PC hard drives.

According to the letter, Sutter will track the disposal of old computers to make sure old laptops or desktop computers are returned when new systems are issued.

Published: Wednesday, June 24, 2009 at 6:13 p.m.

The names, addresses and Social Security numbers of about 3,000 people employed by a handful of state businesses were on a password-protected flash drive stolen from the car of a Florida Department of Revenue employee in Georgia.

There is no evidence any of the identities have been stolen, said Walter Boyd, the department’s chief confidential information officer.

The department sent letters to 2,828 people throughout the state whose information was on the flash drive. The letters contained information about the theft and Web sites that describe how to monitor for misuse of personal information. Credit monitoring agencies also have been notified to look for suspicious activity.

The people were current or past employees of six large corporations that are being audited by the state. The names of audited companies are confidential, but the employees worked throughout the state, Boyd said.

While the file with the information was password-protected, it was not encrypted, he said. Department policies require encryption for laptops, and a new policy is pending approval that would require the same level of security for flash drives and other mobile devices. Currently, the department has guidelines that say flash drives should be encrypted, he said.

Boyd said a sophisticated thief could bypass the password.

“We can hope for a stereotypical thief, some unsophisticated thief that just wants to sell the equipment and doesn’t know what’s on there,” he said.

The flash drive was in a laptop that was stolen from the unlocked car of a Florida Department of Revenue employee’s home in Marietta, Ga., on April 9, along with a cell phone and GPS device, according to a police report.

The revenue department sent letters to the employees earlier this month.

Marietta police Officer Jennifer Murphy said there have been no arrests, and none of the stolen items has been recovered.

Saturday, June 20, 2009

Nevada Mandates PCI Standard

Nevada has recently passed a law mandating PCI compliance for companies accepting payment cards that do business in the state. It is scheduled to go into effect on January 1st, 2010.

This makes Nevada the very first state to actually mandate PCI. The prize for toughest-state-data-security-law used to belong to Massachusetts. But Mass has recently been wavering and its technical requirements are almost non-existent compared to PCI.

The Nevada law is no reason to panic and doesn’t really change much for companies dealing with credit card data. Those companies already have a contractual obligation to adhere to PCI. The Nevada law ups the ante by making this an actual legal requirement, but the standard itself remains the same. And as far as actual enforcement goes, the Nevada law says nothing about penalties whereas PCI has the ability to fine non-compliant companies.

The bigger change is for companies that deal with non-credit card personal data. The Nevada law defines nonpublic personal information as a social security number, drivers license number, or account number in combination with a password. It mandates the use of encryption for the transfer of such data outside of a company’s control (this requirement existed in various forms in previous Nevada legislation as well).

Letter to the Victims                             June 11, 2009

(RESEARCH INTO SCHWAB’S INTERNAL ORGANIZATION INDICATES THAT RESPONSIBILITY FOR INFORMATION SECURITY IS WITHIN THE INFORMATION TECHNOLOGY DEPARTMENT -  1st MISTAKE.  EVEN THOUGH THERE IS A CHIEF PRIVACY OFFICER THEY DOUBLE AS THE INFORMATION SECURITY OFFICER – 2nd MISTAKE) ~ DONALD’S COMMENTS

You may have been impacted by a recent data incident.

I’m writing to alert you to a recent security incident involving client information, and to let you know what steps we are taking and recommend that you take as a result. We take the security of our clients’ accounts very seriously, and we apologize for this incident and the inconvenience it has caused.

What happened.
Recently, a Schwab computer hard drive that included client data was stolen. Some of your personal information, including Social Security number, name or Schwab account number, was on the hard drive. No passwords were included in the data.

This was an isolated incident, not a case of online fraud or computer hacking. It doesn’t appear that the theft of this computer hard drive was intended for fraudulent purposes or identity theft.

What steps we are taking.
Schwab is working with law enforcement officials to recover the computer hard drive. As a precaution, we are monitoring your account to deter any unauthorized activity. In the event that you suspect any unauthorized activity, please call us immediately at 1-877-576-7928.
What steps we recommend you take.
To further protect your information, we recommend you do the following:

Read the rest of this entry »

WASHINGTON — A plan to create a new Pentagon cyber command is raising significant privacy and diplomatic concerns, as the Obama administration moves ahead on efforts to protect the nation from cyber attack and to prepare for possible offensive operations against adversaries’ computer networks.

President Obama has said that the new cyberdefense strategy he unveiled last month will provide protections for personal privacy and civil liberties. But senior Pentagon and military officials say that Mr. Obama’s assurances may be challenging to guarantee in practice, particularly in trying to monitor the thousands of daily attacks on security systems in the United States that have set off a race to develop better cyberweapons.

Read the rest of this entry »