« Quote of the Day: Hugo | Main | PLANET MORONIA: Sowing Tears »

June 19, 2006

IT Security Barney Fief Award

Laptops in Jamaica

 

 

More Laptops stolen, this time from Washington DC municipal employees. So is this part of an attempt to compromise key public and strategic data? And could it have national security implications?

 

First, one thing is certain: it is reaching epidemic proportions and seems to be the new method of madness among those interested in sucking up private and perhaps seriously damaging information.

 

According to the June 13 issue of the Iowa State Daily from the University of Iowa, Ames, Iowa, “More than 10 million Americans have been victims of identity theft and on average spend $1,500 and 175 hours of their time to recover from the effects, according to Fightidentitytheft.com.”

 

And it gets thicker: From a March 3 report by Datamonitor,

 

Up to one in ten laptops will be stolen during their lifetime according to one of the law enforcement officers behind the www.juststolen.net website, and international accounting and consulting firm Ernst & Young was on the wrong end of this statistic recently. With laptops now accounting for around 40% of all computer sales, theft of these expensive devices is now escalating at an alarming rate.

 

One of the high-profile thefts (at least two were reported in the same week) took place as Ernst & Young auditors left their laptops in a conference room when they went for lunch. Even though the door to the room had a locking mechanism, the thieves were still able to gain access and steal four Dell laptop computers valued at $8,000.

While some might find these circumstances quite astonishing, figures suggest that 40% of laptop thefts happen while at work, and so it is advisable to tether your computer to the desk at all times if possible.

 

 

What type of information is at risk, and how bad is it? A simple LexisNexis search using the terms “laptop stolen” for a period covering the past six months yields 125 news hits. Here are some clippings:

 

 

June 18 Washington Post: A laptop containing personal data -- including Social Security numbers -- of 13,000 District workers and retirees was stolen Monday from the Southeast Washington home of an employee of ING U.S. Financial Services, the company said yesterday.

ING, which administers the District's retirement plan, known as DCPlus, notified the city about the theft late Friday.

The company is mailing a letter to all affected account holders to alert them to the risk of someone using the information to commit identity theft, spokeswoman Caroline Campbell said. The company is also telling customers that it will set up and pay for a year of credit monitoring and identity fraud protection.

The laptop was not protected by a password or encryption, Campbell said. Encryption safeguards information by scrambling it into indecipherable codes.

"We are concerned that this information was being managed without protection," said Mary Ann Young, spokeswoman for the city's chief financial officer. City officials also said they were disturbed that ING waited five days to inform them of the theft. Young said the District expects to get a thorough briefing from ING about the incident this week.

Campbell said ING did not alert the District sooner because it took several days for the company to figure out what the laptop contained.

 

June 14 The Pioneer Press, St. Paul: “Three laptop computers containing private information about 2,400 public employees and citizens who use government programs were reported stolen last week from the offices of Minnesota Auditor Patricia Anderson.”

 

June 14 Global News Wire – Europe Intelligence Wire: The Army has admitted that a laptop computer being used by officers involved in a highly sensitive intelligence gathering exercise in Eastern Europe was stolen last August, writes Tom Brady.

 

June 11 Washington Post ED: As the public discovered that Social Security numbers and other personal information from 26.5 million retired and active U.S. military personnel were on a laptop stolen from the home of a Department of Veterans Affairs analyst last month, workers who were hoping to pitch their boss on a telecommuting option probably felt their hopes crash.

That breach was followed by the news that personal information was lost on a stolen laptop of a Giant employee. And more with the loss of a laptop by an Internal Revenue Service worker. And from an Ernst & Young worker. And on and on.

 

June 5 Newsday, Melville, NY: The parent company of subsidiaries including Stop & Shop has sent out letters to notify some of its former employees that their personal information may have been on a laptop that was stolen last month.

A statement released by Stop & Shop supermarkets contained few details about the theft but did say that the laptop computer was in the hands of an employee of an outside vendor that provides data processing services for the pension plan of the parent company, Ahold USA. The statement did not say how many employees were affected.

An Ahold letter received by one former employee Thursday offered a slightly different narrative, saying that the vendor lost the laptop computer from baggage checked on a May 2 domestic commercial flight.

The letter said that data in a file on the laptop are used to determine eligibility in the company-sponsored pension plan, and the file contained the former employees' names, Social Security numbers, birth dates, benefit amounts and other "related information. No financial account or medical benefits information was in the file."

 

June 4 NBC’s Sunday Today with Lester Holt and Campbell Brown: LESTER HOLT: The popular Web site, hotels.com is warning customers this morning they may be at risk for identity theft. They say an auditor's laptop computer has been stolen. It contained the personal information, including credit card numbers, of some 230,000 customers. Robert Siciliano is the chief executive of idtheftsecurity.com, a firm that advises corporations on privacy issues.

 

May 29 Modern Healthcare: Concerns are growing that sensitive medical information was leaked in the theft of electronic data within the Veterans Affairs Department.

VA Secretary R. James Nicholson last week disclosed that a laptop computer stolen from an employee's home in May contained information for 26 million veterans, including birth dates, Social Security numbers and, in some cases, disability codes. It did not contain medical records, Nicholson said. The VA and FBI are investigating, but officials said they didn't believe the laptop was stolen because of the information.

During a hearing of the House Veterans' Affairs Committee to investigate the matter, however, a heated debate broke out between acting ranking member Rep. Bob Filner (D-Calif.) and Nicholson over information contained within the disability ratings for nearly 3 million veterans that was part of the stolen data. Codes that reference conditions amounting to a disability, such as schizophrenia, hepatitis C or HIV-related illnesses, were included in some of these records, said Len Sistek, minority staff director for the panel's Oversight and Investigations Subcommittee.

The VA's claims that the affected data did not include anyone's electronic health records, is a ``bureaucratic'' response, Filner said, adding that Nicholson ``should resign'' over the theft.

Compounding this issue is a Supreme Court decision that determined that the media have a First Amendment right to publish medical records that are stolen-no matter how the records were obtained, [Deborah Peel, chairwoman of the Patient Privacy Rights Foundation] said. ``How many people are going to feel safe entering the military if they can't even trust that their medical records won't be disclosed and they'll be harmed further?'' she asked.

 

March 23 AP, Boston: A laptop belonging to Fidelity Investments that held the names, addresses, birth dates, Social Security numbers and other information of 196,000 retirement account customers was stolen last week, the company says.

 

May 16 South Wales Evening Post: A Director of Swansea's Dylan Thomas Centre had his laptop stolen - while the building was hosting a police convention.

 

May 14 AP, Baltimore: A laptop computer containing Social Security and account numbers for nearly 50,000 bank customers has been stolen, but so far there have been no reports of identity theft or other suspicious activity.

Baltimore-based Mercantile Bankshares Corp. said Friday that the laptop was stolen a week earlier from a worker's car off company property. It contained personal information for customers of its Bethesda-based Mercantile Potomac Bank.

 

May 1 Business Wire, Vancouver, BC: Last week, on Wednesday, April 26th, Reuters reported that a laptop had been stolen from an Aetna employee's car. The computer contained personal information on approximately 38,000 members including names, addresses and Social Security numbers. The personal data is from members that are employees of two companies that are Aetna customers.

 

April 21 Seattle Times: “Boeing is notifying 3,600 current and former employees that their names, Social Security numbers and in some cases, addresses and phone numbers, may have been compromised after a laptop was stolen several days ago.”

 

April 12 Canadian Press NewsWire: REGINA (CP) - The Saskatchewan government is reassuring long-term care residents that their privacy is safe after a laptop containing 1,500 patient records was stolen from a contractor in Toronto.

The records were only being used to test a new computer system for the Saskatchewan Health Information Network and all the personal information had be stripped away before the laptop was taken, Health Minister Len Taylor said Wednesday.

"We have concluded that there are no privacy matters to concern us," Taylor told reporters.

 

March 24 The Times (London): FIDELITY INVESTMENTS has warned nearly 200,000 present and former staff of Hewlett-Packard in America to be vigilant in monitoring their accounts for the next two years after their personal details were stolen from Fidelity, the company's pension fund manager, last week.

The names, pay, pension details, addresses, birth dates, social security numbers and other sensitive information relating to 196,000 staff and ex-employees of the computer hardware company were held on a laptop stolen from a member of Fidelity's staff.

 

March 3 Rocky Mountain News, Denver: More than 93,000 current and former Metropolitan State College of Denver students could have been exposed to identity theft after a laptop containing their names and Social Security numbers was stolen, school officials said.

An admissions employee was using the data to conduct a study on the use of online courses for a grant and for a master's thesis, raising questions Thursday about whether the college has stringent enough policies on protecting student information.

 

February 7 The Press Association Ltd., UK: Two laptops have been stolen from offices used by former Metropolitan Police Commissioner Lord Stevens. The theft sparked fears they may contain material from Operation Paget, the investigation he is heading into the death of Diana, Princess of Wales.

 

January 30 News Group Newspapers Ltd., UK: The judge in the Abu Hamza trial has had a laptop computer stolen from his flat by burglars. A youth was seen climbing into the apartment of trial judge Sir Anthony Hughes, 57, while another kept watch. They shinned down a drainpipe and escaped on pedal bikes shortly after 9.30pm on Friday.

Cops probing the break-in told locals a laptop containing "sensitive information" had been swiped from the pad in Bloomsbury, London. A Met Police spokeswoman said: "Officers attended the scene but the suspects had left. "They are described as two Asian males, both aged about 18 and both riding pedal bikes." Justice Hughes was unavailable for comment.


Hamza, from Shepherds Bush, West London, faces nine charges relating to soliciting followers to murder Jews and non-Muslims and stirring up racial hatred.

 

January 26 eWeek: Advisory firm Ameriprise Financial announced on January 25 that financial data of some 158,000 clients and 68,000 advisers was compromised when a company laptop was stolen from an employee's car.

A file stored on the laptop contained the clients' names and internal Ameriprise Financial account identification numbers, but not their Social Security numbers, addresses, phone numbers or dates of birth. But it did contain the Social Security numbers of the advisers.

 

January 24 The Seattle Post-Intelligencer: Two laptop computers were stolen from an off-campus UW Medical Center office late last month with the names and personal data of about 1,600 patients of the UW Travel Medicine Service, a university official confirms.

The laptops were stolen from the UW office in the Northgate Executive Center, either late Dec. 29 or early Dec. 30, UW Medicine spokeswoman Clare Hagerty said.

 

 

As Steven Levy wrote in the June 12 US Edition of Newsweek,

 

The nation was shocked last month to learn that a data analyst from the Department of Veterans Affairs had downloaded a database containing more than 26 million personal records, taken it home with him and then had his laptop stolen--exposing all the information necessary to swipe the identity of virtually every person released from military service since 1975. But to anyone paying attention, it was no surprise at all. A congressional committee that issues an annual report card on how each federal department protects information has assigned the VA an F for three of the last four years. The VA's own inspector general has repeatedly criticized the agency for failing to address "significant information security vulnerabilities." And the House committee overseeing the VA has been struggling for years to reform what it considers an information-technology "meltdown." Considering all this, it seemed almost inevitable that the VA would join the ranks of an expanding roster of companies and institutions that do a lousy job of protecting the files they keep on us.

The good news, sort of, is that considering the circumstances of the theft--there had been a number of similar petty burglaries in the analyst's neighborhood, none of which seemed to be the handiwork of black-hat hacker types--the purloined information may never reach the thriving Internet black market. (If it does, watch out, because the records contained the identity-theft trifecta--name, birth date, Social Security number--sufficient to get credit cards, buy cars and houses, and generally mess up someone's finances for years.) Nonetheless, this may wind up to be one of the costliest heists in history. The $25 million that Congress has budgeted to address the problem is only a start--some estimates of the ultimate cost of informing veterans and helping them monitor credit records approach $100 million. And that's only if no one's identity is actually stolen.

The frustrating thing is that the VA data theft, like just about every other huge information breach in the past few years, was utterly preventable. […]

 

And, given the value of that information, there is little doubt, a lucrative market for it already exists. But like our borders, ports, and so many other vital areas of national security, very few act as if threats really exist.

 

Stolen laptops containing sensitive information – that is unencrypted and not always properly password protected – is nothing new and should come as no shock to any of us. One need only remember the highly publicized laptops which disappeared from the Los Alamos laboratories during the Clinton era to be asking why steps have apparently not yet been taken across the industry to guard our most sensitive information and protect our people.

 

So how does this affect you if you don’t lose your laptop? Well, you already know that answer: laptops stolen from government, healthcare, education, and business groups contain your personal data; data that can be used to steal your identity, ruin your credit, or a worse and very real threat for members of government, military, and major business figures: blackmail you. In other words, it quickly becomes a national security threat.

 

And add to the information gleaned from stolen laptops to the already infamous intrusions of the above via internet hackers, lost or stolen backup drives, and the need among illegal aliens to steal your Social Security number to pass themselves off as legitimate to employers (who often look the other way), and you wind up with what is becoming without any way to sugar coat it, an identity theft crisis. What’s worse, many in Washington don’t seem to think too much about it.

 

 

Posted by Martin at June 19, 2006 09:02 PM

Comments