State workers at risk of theft

June 16, 2006

By Elizabeth Benjamin, Capitol Bureau

http://www.timesunion.com/AspStories/story.asp?storyID=492107&category=CAPITOL&BCCode=HOME



Some 1,300 state employees are being notified this week by the state comptroller's office that they are at risk of identity theft after a computer cartridge containing their payroll information -- including Social Security numbers and home addresses -- was lost.

The employees, who work for a variety of state agencies, will receive a "dear employee" letter dated June 14 and signed by Assistant Comptroller Daniel C. Berry. The letter also includes generic information from state Attorney General Eliot Spitzer's office titled, "Identity Theft: What To Do If You Have Been Victimized."

In the letter, Berry said the payroll data, which contained names, salaries, Social Security numbers and home addresses, was shipped May 30 from the state comptroller's data center in Rensselaer to the W. Averell Harriman State Office Campus in Albany "but was not received at its intended destination."

"While the information on the cartridge is not easily accessible or readable, if it is accessed and read it could be utilized to perpetrate or facilitate consumer fraud or theft," Berry stated.

Some government agencies use special tape cartridges for data unlike newer CD or DVD technology, but more like old eight-track tapes. They require expensive machines to read them.

"It's not the kind of thing you could put in your home or business PC," said David Neustadt, spokesman for state Comptroller Alan Hevesi.

The cartridges can, however, be deciphered at relatively low cost by companies that offer the service. Some of the tapes can be encrypted, making them virtually impossible to read without the proper code, but Neustadt said the information hadn't been encrypted.

Berry urged recipients of the letter to "closely monitor your financial accounts for any unauthorized transactions."

Neustadt said the cartridge was lost by a state Office of General Services courier who was ferrying it to the Labor Department as part of an audit.

OGS spokeswoman Paula Monaco said records show the cartridge was sent first via Federal Express from the state Office for Technology on the Harriman Campus to the comptroller's data center in Rensselaer. Where it went from there, she said, "no one knows."

Monaco said OGS has conducted a diligent search for the package through all "vehicles, mailboxes, offices, tables -- anything this may have been on," and has so far not located it. She noted the agency offers a free tracking service for its courier customers, for whom 40,000 pieces of mail are delivered daily, but the comptroller's data center did not use it.

"OGS feels this is an unfortunate incident," Monaco said. "We try to provide the best service at all times. But it's the customer's choice as to what services they choose, and in this case, the package tracking system was not utilized."

The comptroller's office is working with OGS in hopes of recovering the cartridge, Neustadt said. In the meantime, Hevesi has directed that all data be transferred electronically in the future, and not via courier.

"To protect personal information, the comptroller's office has been in the process of converting data transfers from tape to encrypted electronics," Neustadt said. "Unfortunately, this was the last not to be converted. It will be converted immediately so no confidential data will ever be transferred by courier again."

Neustadt said he was unaware of any similar incident occurring since Hevesi, a Democrat, took office in January 2003.

The comptroller's office notified the state Office of Cyber Security and Critical Infrastructure Coordination, the state Consumer Protection Board and the attorney general's office, but not local law enforcement agencies, Neustadt said.

The information from the attorney general's office urges people who think they might be victims of identity theft to report any fraudulent activity to the "appropriate police and sheriff departments," and also to inform the U.S. Social Security Administration if they suspect someone used their Social Security number to get a job.

The loss of state payroll data comes on the heels of a federal scandal stemming from the May 3 theft of personal data for 26.5 million veterans and active military personnel from the Veterans Affairs Department.

Energy Department officials also recently acknowledged a computer hacker's theft months ago from a National Nuclear Security Administration Center in New Mexico of sensitive information -- including Social Security numbers and security clearances -- on 1,500 employees.

[an error occurred while processing this directive]