http://www.govtech.com/gt/articles/418760 By Casey Mayville Government Technology Sept 30, 2008 "Fall Out." That was the term used by the shipping company when Dormitory Authority's back-up tapes went missing. On the trip from the Albany headquarters of this New York based construction organization, to their data center in New York City, the tapes literally had fallen out of their yellow mailing envelope. The tapes contained personal private or sensitive information (PPSI) of over 600 employees and approximately 3,000 vendors. The shipping company needed five days to conduct a formal search to determine if the tapes were in fact lost, or just misplaced. In the mean time, Dormitory Authority's compliance officer Michael Springer was faced with a dilemma: Do we alert our vendors and employees that there has been a security breach or wait five days to make the decision? Within two days time, senior management decided to meet and exceed all disclosure requirements. "If there [are] time requirements, we're going to beat them. If there's criteria laid out, we're going to exceed it. We want to be forthright and very responsible for this entire situation," said Springer. And so began the disclosure process. The first step was to determine exactly what kind of information was on the tapes and who it would affect. The five tapes were nightly back-ups of various systems. The two most critical systems housed the financial management application and the employee time-keeping application. Both of these applications contained PPSI -- and neither were encrypted. Social security numbers and tax ID numbers of thousands of vendors and hundreds of employees were now compromised. The organization then notified New York's Office of Cyber Security and Critical Infrastructure Coordination (CSCIC), the Attorney General and the state's Consumer Protection Board of the situation. [...] __________________________________________________ Register now for HITBSecConf2008 - Malaysia! With a new triple-track conference featuring 4 keynote speakers and over 35 international experts, this is the largest network security event in Asia and the Middle East! http://conference.hackinthebox.org/hitbsecconf2008kl/Received on Wed Oct 01 2008 - 23:43:44 PDT
This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 23:51:39 PDT