[ISN] Data Breach: How and When to Say "We Screwed Up"

From: InfoSec News <alerts_at_private>
Date: Thu, 2 Oct 2008 01:43:44 -0500 (CDT)

By Casey Mayville
Government Technology
Sept 30, 2008

"Fall Out." That was the term used by the shipping company when 
Dormitory Authority's back-up tapes went missing. On the trip from the 
Albany headquarters of this New York based construction organization, to 
their data center in New York City, the tapes literally had fallen out 
of their yellow mailing envelope. The tapes contained personal private 
or sensitive information (PPSI) of over 600 employees and approximately 
3,000 vendors. The shipping company needed five days to conduct a formal 
search to determine if the tapes were in fact lost, or just misplaced.

In the mean time, Dormitory Authority's compliance officer Michael 
Springer was faced with a dilemma: Do we alert our vendors and employees 
that there has been a security breach or wait five days to make the 
decision? Within two days time, senior management decided to meet and 
exceed all disclosure requirements. "If there [are] time requirements, 
we're going to beat them. If there's criteria laid out, we're going to 
exceed it. We want to be forthright and very responsible for this entire 
situation," said Springer. And so began the disclosure process.

The first step was to determine exactly what kind of information was on 
the tapes and who it would affect. The five tapes were nightly back-ups 
of various systems. The two most critical systems housed the financial 
management application and the employee time-keeping application. Both 
of these applications contained PPSI -- and neither were encrypted. 
Social security numbers and tax ID numbers of thousands of vendors and 
hundreds of employees were now compromised.

The organization then notified New York's Office of Cyber Security and 
Critical Infrastructure Coordination (CSCIC), the Attorney General and 
the state's Consumer Protection Board of the situation.


Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Wed Oct 01 2008 - 23:43:44 PDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 23:51:39 PDT