New York's finest--past and present--are being notified of a data breach at the Police Pension Fund. While authorities didn't come out and say it, we can infer that there are tapes in the breach that did not use data encryption like AlertBoot's endpoint security systems.
As you've probably read by now, the communications director for the NY Police Pension Fund stole eight backup tapes that contained personal and financial information for 80,000 current and retired NY cops. He approached the facility where the information was being safeguarded, flashed an expired ID badge, disabled security cameras, and made off with the tapes. He was only caught because he made "suspicious remarks" while at work and that prompted an investigation.
Other notable things about the story: the security guard let the director through, even though his name wasn't on the list of authorized personnel (obviously, the security guard doesn't read well...this and the expired ID? Come on...)
Also notable but irrelevant to the story: the same storage site is used by Google and Yahoo.
The information on the tapes included names, SSNs, and direct deposit information.
We can infer a great deal from this sample letter, downloadable from the Police Pension Fund site, being sent to affected personnel.
In addition, undercover identities and undercover information WAS NOT compromised, as their data is not maintained at the DRS. Furthermore, anyone hired after May 2007 are not affected by this breach. All information after that date is encrypted and therefore not vulnerable.
That last part, of course implies that information prior to May 2007 may or may not have been encrypted, and I'll take my chances with "may not" if I had to wager money.
It's hard to--nay, almost impossible to--criticize the pension fund in this case. Granted, they started encrypting all information beginning on May 2007, which begs the question "what about all the other info?"
But, when you consider that the problem of data security didn't come into the nation's consciousness until sometime around 2005-2006--with the VA department and Choicepoint breaches--it looks like the fund may have been right on target when it came to rolling out its data security policies about a year later. (Well, I’m assuming there is such a policy, which I'm inferring from the sample letter as well.) As a note, my understanding is that the VA still hasn't finished their project.
Plus, technically, it's the storage facility's fault: it's branded as a secure environment, so how does this guy with an expired badge who's not on the authorized list get in?
And, the tape thief was able to disable security cameras! The last data-anything-site I visited was in the northeast, and had their surveillance feeds being recorded 900 miles away in Georgia, which was monitored 24/7. If a camera had gone off-line, they would've known. Obviously this wasn't the case here, since the people who figured something was awry and started an investigation were with the pension fund, if what I'm reading is correct.
The blame, I'd say, lies with some body other than the pension fund. It would have been nice, however, to go back to the old tapes and encrypt those contents as well. I mean, ultimately that's why you encrypt data: you just don't know how or when disaster will strike. But again, hard to point the finter at the pension fund on this one.
Related Articles:http://www.networkworld.com/news/2009/030509-nypd-insider-data-theft.html?hpg1=bnhttp://www.securitymanagement.com/news/nypd-suffers-massive-data-breach-005304http://datalossdb.org/incidents/1808-stolen-tapes-contain-social-security-numbers-and-pension-information-of-80-000http://blogs.zdnet.com/BTL/?p=13958