Security breach compromises 5,000 social security numbers at Consumer Affairs

June 23, 2008

By Malcolm Maclachlan

The state Department of Consumer Affairs (DCA) has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.

The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this was public information.

"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.

The main danger with giving away a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name. However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.

The DCA is the main state agency charged with protecting consumers in California. From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.

Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.

"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."

The breach was discovered on Monday, June 9, Heimerich said. People's whose names were on the list were sent an email the next day and an official letter a week later. The letter warned them to keep an eye on their credit reports and advised them to call the police if they see anything suspicious. It also included contact information for the three main credit reporting agencies, Experian, Equifax and TransUnion.

Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list. He said the DCA had not yet determined how much these protections were going to cost.

About 2,800 of the people on the list are current, full-time employees of the DCA. The document also included some former employees and numerous contractors, such as people who proctor state job examinations. The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.

One agency whose employees were not on the list is the California Office of Privacy Protection (OPP). That agency moved under the State and Consumer Services Agency, effective January 1, as part of a reorganization designed to improve the state's technology infrastructure. They are still headquartered in the same Sacramento office as the DCA, but only one of their nine employees was listed on the compromised document.

OPP has been advising DCA and its employees on how to guard against identity theft, said OPP chief Joanne McNabb. She said the DCA has been very fast and proactive in dealing with the breach.

"The Department of Consumer Affairs has been very true to its consumer mission in reacting to this for their own employees," McNabb said.

McNabb encouraged anyone concerned about identity theft to visit their website,, for more information on how to protect themselves.

main page ATTRITION feedback