Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation.
Carder forums (chatrooms) are where a lot of stolen personal and financial information is sold, right over the Internet.
Their press release on this unfortunate matter states they have extensive data protection protocols, which I would hope include the fact that the data (stored on a portable device) was encrypted.
I'm sure some are going to try to bash TSA for this incident, however I am going to take a different stance, which is they appear to be handling the matter a lot more responsibly than many organizations that have breached, recently. In my humble opinion, the TSA is taking this seriously and handling this matter the best way possible. Data breaches embarrass a lot of organizations -- too many of them would rather avoid the negative publicity -- instead of doing the right thing to protect their (in this case OUR) most valuable asset, people.
I really liked their statement about what they intend to do about it - if wrongdoing is discovered:
TSA has extensive data protections protocols and training in place for its employees regarding data privacy. TSA has zero tolerance for employees not following policies on data protection and will take swift disciplinary action, including dismissal, against individuals found to be in violation of our procedures.
I'm not able to comment on TSA's data privacy procedures (never seen them), but one person with access, who violates any data privacy procedure can do a lot of damage.
Data breaches have happened at a lot of places. If you are interested in reading more about them and where they occurred, the Privacy Rights Clearinghouse maintains a chronology, here.
A lot of data breaches occur when information is stored on portable (easily stolen) devices. Some claim that even if encryption is present on the device, the wrong person can still (sometimes) access the information.
The full press release can be read, here. They also link to the new government site on identity theft (worth a read if you haven't seen it yet), here.