Two laptop computers believed to contain unencrypted personal information about 43 grant reviewers were stolen from an Education Department contractor in Washington, D.C., earlier this month.
The laptops, stolen Aug. 11, contained information about grant reviewers for the Teacher Incentive Fund. An official for the contractor overseeing the reviews, DTI Associates of Arlington, Va., said the firm could not rule out the possibility that Social Security numbers, used in the processing of the reviewers' payments, were on the computers.
The data breach was first reported Friday on Eduwonk, an education news and commentary blog.
Bruce Rankin, DTI's vice president, said he personally attempted to notify all individuals affected by the theft. He said the company will provide each of them with one year of free credit monitoring through Equifax Inc., a credit reporting agency.
Within minutes of realizing that the laptops had been taken from a downtown Washington office building, Rankin said company officials notified the Metropolitan Police Department. Within an hour, they informed the Education Department.
According to Rankin, the police have identified a suspect through the building's security cameras. A reward has been offered for the return of the laptops, Rankin said.
Rankin said the computers were protected with the Windows login password system, but had no encryption software.
Security experts say password protection is insufficient to prevent identity theft and that the only way to secure sensitive information is by using some form of encryption software.
This is the second reported data breach from an Education Department contractor this month and adds to a string of recent reports of missing or stolen government computers containing sensitive information.
Last week, student loan holders logging on to an Education Web site exposed their personal identities to others as a result of a glitch in a contractor's efforts to service the site. As many as 21,000 borrowers in the Federal Direct Student Loan Program may have had their personal data -- including Social Security numbers, birthdates and addresses -- compromised.
On June 23, the Office of Management and Budget ordered agencies to take action to improve the security of personally identifiable information by Aug. 7, including encrypting data on all remote computer devices containing sensitive information.
OMB also has eliminated the distinction between suspected and confirmed data breaches for reporting purposes to the Homeland Security Department's computer emergency response team, known as US-CERT, after Veterans Affairs Department officials delayed for days reporting the theft of a laptop computer containing the sensitive information of 26.5 million individuals because they could not be sure that the data was accessed.
To assist agencies that have lost personally identifiable information, the General Services Administration has awarded a blanket purchase agreement to three credit monitoring companies to provide agencies with easy access to those services.
The award, announced Tuesday, allows agencies to take advantage of lower prices, GSA said. Agencies will be able to select different levels of credit monitoring services depending on the degree of risk.
The vendors included in the agreement are Bearak Reports of Framingham, Mass., Atlanta-based Equifax and Experian Direct Consumer of Irvine, Calif.