It looks like another nonprofit organization (the good kind) has been affected by the theft of a stolen laptop.  The Rio Grande Food Project, an organization that avails New Mexico residents with emergency food relief, has announced that a laptop computer was "stolen from a locked room at our facility."  Based on the contents of the letter, it looks like drive encryption software like AlertBoot was not used to secure the data.

This is quite unfortunate, since the stolen laptop contained what turns out to be a treasure trove of information for ID thieves: 36,000 names, addresses, dates of birth, and Social Security numbers.  Rio Grande's own site notes that if clients have received assistance in the past three years, they should put a fraud alert on their credit lines.

Aside from the locked door, the computer did have password-protection.  However, since there is no mention of the use of encryption software, one can safely assume it was not present in the stolen laptop.  And as I've mentioned in previous posts, password-protection is anything but.

I hate it when I hear that an NGO such as the above was involved in a data breach.  Granted, it's not a pleasant experience for anyone, but those who are in need of help truly cannot afford to deal with rectifying ID theft-related damages.

Some cynics may note, "these people need food relief.  How could things get worse for them?  Identity thieves certainly won't be able to get loans in their name!"  However, we must remember that the stolen data can and are used in more ways than getting loans.

• If a person applies for a job using someone else's SSN, that someone else is responsible for taxes.  The IRS will come after that someone else.
  
• If a fake ID is created with an actual SSN and valid name, and the holder of this fake ID is arrested, that SSN and valid name goes on police records.  They rarely get expunged; they may be marked as "an alias" to the criminal.  The victim will be questioned because of his "alias" if he gets stopped for, say, a traffic violation.
  
• If the above criminal decides to skip town after charges have been filed, or while on probation, or out on bail...there's a good chance the ID theft victim that will be caught.  The actual criminal will probably get himself a new ID to abuse.

There are other ways of getting in trouble, trouble that stems from lost personally identifiable information (PII).

I'll say it again, as many times as necessary--despite the fact that NGOs operate under the scantest of resources, when one considers their objectives and who they're serving, nonprofits are the ones that need to keep things encrypted.

Thieves are not below stealing from a good cause, nor stealing from those who need the help.

Related Articles:
http://www.kvia.com/Global/story.asp?S=9868859&nav=AbC0
http://riograndefoodproject.com/
http://datalossdb.org/incidents/1781-stolen-laptop-contains-social-security-numbers-addresses-and-dates-of-birth-of-36-000