[ISN] More laptops mean greater security risk to taxpayers

From: InfoSec News (alerts@private)
Date: Tue Sep 04 2007 - 22:07:06 PDT


http://www.nhregister.com/site/news.cfm?newsid=18777364&BRD=1281&PAG=461&dept_id=590581&rfi=6

By Gregory B. Hladky
Capitol Bureau Chief
09/03/2007

HARTFORD - Last months theft of a state laptop computer containing 
confidential information on 106,000 Connecticut taxpayers has 
highlighted concerns about security for the state governments increasing 
numbers of laptops.

The 14 largest state agencies own between 2,500 and 3,000 laptops that 
their employees often use in the field or at home, according to figures 
supplied by the Department of Information Technology.

Officials at the comptrollers office say 19 state laptops were reported 
stolen between June 30, 2006, and July 1, 2007.

Nuala Whelton, spokeswoman for the information agency, said the number 
of state-owned laptop computers is increasing at a rapid pace in large 
part because the state is attempting to prepare for various types of 
emergencies.

"We want to have a way for our state employees to continue to do their 
jobs even if their regular place of business is shut down," Whelton 
said.

The fear is that severe weather or a terrorist attack or even a flu 
pandemic could shut down essential services if key buildings had to be 
closed. Use of laptops means employees can access information in the 
field or at home if they cant get to work.

Whelton said there has been "a real spike in the past year" in the 
number of employees who are using the special system that allows them 
remote access to the states computer network. She said use of the 
virtual private network has jumped by about 30 percent.

The system is intended to allow employees to work from home or in the 
field "over a secure network," Whelton said. Access to the network is 
limited, which means employees must use a special system rather than 
simply connecting from a commercial Internet service.

But the increased use of laptops by employees also carries a risk, as 
was illustrated by the recent theft of a Department of Revenue Services 
laptop.

The portable computer was stolen Aug. 17 from the personal car of an 
employee of the tax agency. The workers vehicle happened to be in 
Suffolk County, N.Y., at the time of the theft.

Although state officials say the theft was reported "within hours," it 
took the agencys computer forensic experts 11 days to reconstruct what 
information was on the laptop, and the result was a blockbuster.

The DRS laptop contained the names and Social Security numbers of about 
10 percent of all Connecticut taxpayers.

The stolen laptops information was protected by a security password and 
state officials said last week there had been no indication that any of 
the information had been used for illegal purposes.

But DRS spokeswoman Sarah Kaufman said experts fear an individual with 
the right computer skills who knew what he was looking for could find a 
way to access the confidential taxpayer information.

The state has created a new search engine (available at www.ct.gov/DRS) 
to allow taxpayers to find out if their information was on the stolen 
laptop.

In addition, the state will spend about $1 million to provide free 
identity-theft coverage for a year for taxpayers whose information was 
stolen and who register for the service.

DRS officials are conducting an internal investigation to find out why 
so much taxpayer information was contained on one portable computer and 
why the employee had the computer in a personal car on Long Island. The 
name of the worker involved isnt being released because of the 
investigation.

Kaufman said DRS has issued 177 laptops to its employees, primarily to 
tax auditors so they can work more easily and quickly on field audits. 
Only information necessary to an employees current tasks are supposed to 
be on a DRS laptop, according to Kaufman.

Rell has ordered a series of new controls on the use of laptops in the 
wake of the stolen computer incident. Those will include tougher 
restrictions on what kind of sensitive information can be loaded on 
state laptops, stricter reporting requirements for computers that are 
lost or stolen, and new encryption programs for all agencies.

Whelton said an interagency group was already working on new encryption 
standards for computers before the DRS laptop was stolen.

Copyright New Haven Register 2007


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 04 2007 - 22:20:11 PDT