Friday, May 04, 2007

TSA loses 100,000 employee records and discloses the matter, immediately

For the first time, I can remember a data-breach is being reported the day after it was discovered by an agency entrusted to protect and serve the public at large. Here is part of the press release from the Transportation Security Agency (TSA):

Yesterday the Transportation Security Administration (TSA) became aware of a potential data security incident involving approximately 100,000 archived employment records of individuals employed by the agency from January 2002 until August 2005. An external hard drive containing personnel data (including name, social security number, date of birth, payroll information, bank account and routing information) was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital. It is unclear at this stage whether the device is still within headquarters or was stolen. TSA immediately reported the incident to senior DHS and law enforcement officials and launched an investigation.

Of note, the information compromised here is everything an identity thief would need to completely assume another person's identity, sometimes referred to in carder forums as a "full."

Carder forums (chatrooms) are where a lot of stolen personal and financial information is sold, right over the Internet.

Their press release on this unfortunate matter states they have extensive data protection protocols, which I would hope include the fact that the data (stored on a portable device) was encrypted.

I'm sure some are going to try to bash TSA for this incident, however I am going to take a different stance, which is they appear to be handling the matter a lot more responsibly than many organizations that have breached, recently. In my humble opinion, the TSA is taking this seriously and handling this matter the best way possible. Data breaches embarrass a lot of organizations -- too many of them would rather avoid the negative publicity -- instead of doing the right thing to protect their (in this case OUR) most valuable asset, people.
I'm not thrilled with this data breach -- or that information continues to be left where it shouldn't be -- but disclosure (being more honest) goes a long way towards fixing the overall problem.

Recently, a TSA employee caught a culprit with 43 different driver's licenses and a lot of bogus payment devices. We need to remember that the people compromised by this, protect all of us!

I really liked their statement about what they intend to do about it - if wrongdoing is discovered:

TSA has extensive data protections protocols and training in place for its employees regarding data privacy. TSA has zero tolerance for employees not following policies on data protection and will take swift disciplinary action, including dismissal, against individuals found to be in violation of our procedures.

I'm not able to comment on TSA's data privacy procedures (never seen them), but one person with access, who violates any data privacy procedure can do a lot of damage.
If anyone knows something about this data-breach, information can be submitted to the FBI (investigating agency), here.

Data breaches have happened at a lot of places. If you are interested in reading more about them and where they occurred, the Privacy Rights Clearinghouse maintains a chronology, here.

A lot of data breaches occur when information is stored on portable (easily stolen) devices. Some claim that even if encryption is present on the device, the wrong person can still (sometimes) access the information.

The full press release can be read, here. They also link to the new government site on identity theft (worth a read if you haven't seen it yet), here.

No comments: