Oregon Prisons Hit by Worker Info Breach

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.ktvz.com/oregon-northwest/26811098/detail.html

SALEM, Ore. -- The Oregon Department of Corrections revealed Wednesday
that personal data on hundreds of its employees may have been found on
a portable "thumb drive," including payroll information and Social
Security numbers, but said all indications are that it was accidental
and there's no indication any of the info was misused.
The agency received word on Jan. 27 of the potential information
security breach from a non-employee, member of the public. The breach
involved a thumb drive that "allegedly contained personally
identifiable information about DOC employees," the department said.

The agency immediately began an investigation to verify the report and
to determine what data may have actually been on the thumb drive. The
Oregon State Police were notified and are assisting with DOC's
investigation, in addition to facilitating their own external
investigation, officials said.

"Because the thumb drive was damaged prior to the department receiving
it, we cannot know what was on it," the DOC news release said.
However, they added, "Initial forensic findings indicate that at least
two types of information may have been breached:

Staff members' personal information, including social security numbers:

• Payroll reports from Warner Creek Correctional Facility (WCCF) from
July 31, 2005 to Sept. 30, 2007, which included names, social security
numbers and other payroll information.
• Payroll reports from Deer Ridge Correctional Institution (DRCI) near
Madras from Aug. 31, 2006 to Sept. 30, 2007, which included names,
social security numbers and other payroll information.
Staff members' personal information, not including social security numbers:
• Payroll reports from WCCF, DRCI and Shutter Creek Correctional
Institution (SCCI) from Oct. 1, 2007 to present, which included staff
names and other payroll related information similar to what's found on
a pay stub. These reports did not include social security numbers.

At this time, the scope of the potential breach is limited to just
under 550 total staff members; just under 300 staff members' Social
Security numbers have potentially been breached.

"We have no reason to believe staff at institutions other than WCCF,
DRCI, or SCCF should be concerned," the agency's statement said.

"We do not believe the breach was malicious in intent, nor do we have
any indication at this time that the personal information has been
used or misused," they added.

As a precaution, DOC has contracted with ID Experts, a data breach and
recovery services expert to ensure protection for staff members whose
social security numbers may have been compromised. This service will
be free to affected staff. ID Experts will provide staff, whose
personal information (names and SS#s) was potentially breached, with
fully managed recovery services including:
- 12 months of credit and CyberScan monitoring
- A $20,000 insurance reimbursement policy
- Educational materials; and
- Access to fraud resolution representatives

In addition to notifying staff of the breach and providing credit
monitoring services to those whose social security numbers were
involved, DOC is continuing to investigate the situation to determine
exactly how the thumb drive got into the hands of a non-employee.

The agency is also examining internal practices to ensure that the
security of personal information isn't breached in the future.

The department employs approximately 4,500 staff across the state and
operates 14 institutions and multiple worksites.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/