BreachExchange mailing list archives
Oregon Prisons Hit by Worker Info Breach
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Thu, 10 Feb 2011 21:43:11 -0500
http://www.ktvz.com/oregon-northwest/26811098/detail.html SALEM, Ore. -- The Oregon Department of Corrections revealed Wednesday that personal data on hundreds of its employees may have been found on a portable "thumb drive," including payroll information and Social Security numbers, but said all indications are that it was accidental and there's no indication any of the info was misused. The agency received word on Jan. 27 of the potential information security breach from a non-employee, member of the public. The breach involved a thumb drive that "allegedly contained personally identifiable information about DOC employees," the department said. The agency immediately began an investigation to verify the report and to determine what data may have actually been on the thumb drive. The Oregon State Police were notified and are assisting with DOC's investigation, in addition to facilitating their own external investigation, officials said. "Because the thumb drive was damaged prior to the department receiving it, we cannot know what was on it," the DOC news release said. However, they added, "Initial forensic findings indicate that at least two types of information may have been breached: Staff members' personal information, including social security numbers: • Payroll reports from Warner Creek Correctional Facility (WCCF) from July 31, 2005 to Sept. 30, 2007, which included names, social security numbers and other payroll information. • Payroll reports from Deer Ridge Correctional Institution (DRCI) near Madras from Aug. 31, 2006 to Sept. 30, 2007, which included names, social security numbers and other payroll information. Staff members' personal information, not including social security numbers: • Payroll reports from WCCF, DRCI and Shutter Creek Correctional Institution (SCCI) from Oct. 1, 2007 to present, which included staff names and other payroll related information similar to what's found on a pay stub. These reports did not include social security numbers. At this time, the scope of the potential breach is limited to just under 550 total staff members; just under 300 staff members' Social Security numbers have potentially been breached. "We have no reason to believe staff at institutions other than WCCF, DRCI, or SCCF should be concerned," the agency's statement said. "We do not believe the breach was malicious in intent, nor do we have any indication at this time that the personal information has been used or misused," they added. As a precaution, DOC has contracted with ID Experts, a data breach and recovery services expert to ensure protection for staff members whose social security numbers may have been compromised. This service will be free to affected staff. ID Experts will provide staff, whose personal information (names and SS#s) was potentially breached, with fully managed recovery services including: - 12 months of credit and CyberScan monitoring - A $20,000 insurance reimbursement policy - Educational materials; and - Access to fraud resolution representatives In addition to notifying staff of the breach and providing credit monitoring services to those whose social security numbers were involved, DOC is continuing to investigate the situation to determine exactly how the thumb drive got into the hands of a non-employee. The agency is also examining internal practices to ensure that the security of personal information isn't breached in the future. The department employs approximately 4,500 staff across the state and operates 14 institutions and multiple worksites. _______________________________________________ Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Learn encryption strategies that manage risk and shore up compliance. Download Article 1 of CREDANT Technologies' The Essentials Series: Endpoint Data Encryption That Actually Works http://credant.com/campaigns/realtime2/gap-LP1/
Current thread:
- Oregon Prisons Hit by Worker Info Breach Jake Kouns (Feb 10)