[ISN] Laptops with sensitive data stolen from Education contractor

From: InfoSec News (alerts@private)
Date: Tue Aug 29 2006 - 22:51:45 PDT


http://www.govexec.com/story_page.cfm?articleid=34906

By Daniel Pulliam
dpulliam at govexec.com
August 29, 2006

Two laptop computers believed to contain unencrypted personal
information about 43 grant reviewers were stolen from an Education
Department contractor in Washington, D.C., earlier this month.

The laptops, stolen Aug. 11, contained information about grant
reviewers for the Teacher Incentive Fund. An official for the
contractor overseeing the reviews, DTI Associates of Arlington, Va.,
said the firm could not rule out the possibility that Social Security
numbers, used in the processing of the reviewers' payments, were on
the computers.

The data breach was first reported Friday on Eduwonk, an education
news and commentary blog.

Bruce Rankin, DTI's vice president, said he personally attempted to
notify all individuals affected by the theft. He said the company will
provide each of them with one year of free credit monitoring through
Equifax Inc., a credit reporting agency.

Within minutes of realizing that the laptops had been taken from a
downtown Washington office building, Rankin said company officials
notified the Metropolitan Police Department. Within an hour, they
informed the Education Department.

According to Rankin, the police have identified a suspect through the
building's security cameras. A reward has been offered for the return
of the laptops, Rankin said.

Rankin said the computers were protected with the Windows login
password system, but had no encryption software.

Security experts say password protection is insufficient to prevent
identity theft and that the only way to secure sensitive information
is by using some form of encryption software.

This is the second reported data breach from an Education Department
contractor this month and adds to a string of recent reports of
missing or stolen government computers containing sensitive
information.

Last week, student loan holders logging on to an Education Web site
exposed their personal identities to others as a result of a glitch in
a contractor's efforts to service the site. As many as 21,000
borrowers in the Federal Direct Student Loan Program may have had
their personal data -- including Social Security numbers, birthdates
and addresses -- compromised.

On June 23, the Office of Management and Budget ordered agencies to
take action to improve the security of personally identifiable
information by Aug. 7, including encrypting data on all remote
computer devices containing sensitive information.

OMB also has eliminated the distinction between suspected and
confirmed data breaches for reporting purposes to the Homeland
Security Department's computer emergency response team, known as
US-CERT, after Veterans Affairs Department officials delayed for days
reporting the theft of a laptop computer containing the sensitive
information of 26.5 million individuals because they could not be sure
that the data was accessed.

To assist agencies that have lost personally identifiable information,
the General Services Administration has awarded a blanket purchase
agreement to three credit monitoring companies to provide agencies
with easy access to those services.

The award, announced Tuesday, allows agencies to take advantage of
lower prices, GSA said. Agencies will be able to select different
levels of credit monitoring services depending on the degree of risk.

The vendors included in the agreement are Bearak Reports of
Framingham, Mass., Atlanta-based Equifax and Experian Direct Consumer
of Irvine, Calif.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Aug 29 2006 - 23:02:08 PDT