U.S. Workers Are on Alert After Breach of Data

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.nytimes.com/2010/11/07/us/07breach.html?_r=1

WASHINGTON — Federal workers at the General Services Administration
are on alert against identity theft after an employee sent the names
and Social Security numbers of the agency’s entire staff to a private
e-mail address.

The agency, which manages federal property, employs more than 12,000
people. Officials apologized to employees for the incident in a letter
dated Oct. 25 — almost six weeks after the breach occurred. The agency
said it had paid for employees to enroll in a one-year program to
monitor their credit reports, along with up to $25,000 in identity
theft insurance coverage.

The letter was signed by Casey Coleman, the chief information officer,
and Gail Lovelace, the agency’s senior privacy official. Neither
returned calls or e-mails for comment.

Sara Merriam, a spokeswoman for the agency, said in a statement on
Wednesday: “Ensuring the security of employee data is no small
challenge in large organizations. We will continue to evolve our
protocols to protect the employee information entrusted to us.”

Documents show that officials first notified employees on Sept. 28.
But workers who spoke with The New York Times said they did not learn
of the incident until early November, when the letters arrived in the
mail. Previous notices had been sent as security alert e-mails, which
employees said they received frequently and often ignored.

According to interviews and documents obtained by The Times,
technicians discovered the e-mail with names and Social Security
numbers while reviewing logs on Sept. 22, a week after the message was
sent, and deleted it from the recipient’s e-mail account and laptop.

The agency explained to employees that one worker had apparently
transmitted the file containing the personal data by accident while
seeking “work-related assistance,” and that it had not been forwarded.
Those involved had cooperated, and the computer that received the data
was scrubbed clean by agency technicians.

Still, Jack Hanley, who presides over a council representing the
roughly 4,000 General Services employees who are members of the
National Federation of Federal Employees union, said the agency’s
delay in notifying employees had put them at greater risk.
Additionally, he said, employees would remain vulnerable after the
one-year period.

“Some of them have come to our office who have worked years to clean
up their credit and have just got mortgages approved,” he said in an
interview on Wednesday. “And now if someone messes with their credit,
they’re going to lose.”

According to the documents, the agency inspector general is
investigating the incident. The inspector general, Brian Miller, did
not return calls for comment.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/