[ISN] Stolen USDA computers may have left farmers at risk

From: InfoSec News (alerts@private)
Date: Mon Mar 12 2007 - 22:28:58 PST


March 12, 2007

Agriculture Department computers stolen in Stockton and Yuba City, 
Calif., could contain sensitive information about Central Valley 
farmers, federal investigators warn.

The seven computers stolen from the Valley offices over the past several 
years also reflect a larger problem, investigators believe. Officials 
didn't notify farmers whose personal information might have been 
compromised at the time of the thefts, nor did they have in place 
necessary safeguards.

"As a result," the investigators cautioned, "personally identifiable 
information of USDA customers and employees may have been lost and is at 
risk for improper use."

Lost and stolen computers have become a perennial problem for many 
federal agencies, and potentially pose risks to both privacy and 
national security. Census Bureau officials, nuclear weapon scientists at 
Los Alamos National Laboratory in New Mexico and analysts at the Energy 
Department's Office of Intelligence have all misplaced laptops, discs or 
other computer equipment in recent years, previous investigations found.

The losses have prompted the Bush administration to step up its 
scrutiny, prompting the latest audit by the Agriculture Department's 
Office of Inspector General. Agriculture Department officials have 
accepted the criticisms and say they are making improvements.

In July, the Agriculture Department reported to Congress that officials 
had found only eight incidents where private information might have been 
compromised by the loss of equipment since 2003. But when the Office of 
Inspector General looked more closely, the investigators found the 
Agriculture Department's initial report was "not accurate."

A total of 95 Agriculture Department computers were stolen between Oct. 
1, 2005 and May 31, 2006. In at least nine cases, officials acknowledged 
that the computers included names, addresses, Social Security numbers 
and payment information for individual farmers. These nine cases were in 
addition to the eight previously reported by the Agriculture Department.

"The true number of incidents might not be known," investigators added, 
because agencies "were not tracking, reporting or following up on stolen 
computer equipment."

The stolen computers identified by investigators included six taken from 
Yuba City and four taken from Stockton. The Agriculture Department 
maintains offices in both cities to administer programs for farmers 
throughout the Valley.

"Farmers, like any business owner, would not want their private 
information out in the public," Julia Berry, executive director of the 
Madera County Farm Bureau, noted Monday.

Berry added, though, that she had not heard specific concerns raised by 
local farmers about losing sensitive Agriculture Department information.

"There is always a concern about rural mail theft, and identify theft," 
added Liz Hudson, outreach director for the Fresno County Farm Bureau, 
"but this is the first I've heard of the (Agriculture Department) 
computer thefts."

The new audit does not specify exactly what information might have been 
on the stolen California computers. Other offices suffered even greater 
losses, including the Agriculture Department office in Tangent, Ore., 
from which 23 computers were stolen.

Nationwide, the investigators found that:

* Two-thirds of the stolen Agriculture Department computers lacked 
  encryption, which means anyone could look at the stored information. 
  Since June, the Bush administration has required that all sensitive 
  information be encrypted.

* In more than half of the cases, users of the stolen computers weren't 
  aware whether the Agriculture Department followed up on whether 
  private or sensitive information had been lost. Since June, federal 
  agencies have been required to conduct the follow-up assessments.

* More than 2,000 files containing private, sensitive information about 
  farmers were found on computers still located at the Agriculture 
  Department sites visited by investigators. Agency officials attributed 
  this to a programming error, which has since been corrected so that 
  the private information is retained only on central databases

Agriculture Department officials expect to complete purchasing an 
encryption package by the end of March.

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 12 2007 - 22:39:50 PST