[Dataloss] followup: ACS Breach Warning Letter

Bruce.Forestal Bruce.Forestal at target.com
Wed Nov 8 10:08:41 EST 2006 

Good Day,

The claim of "password protected" is a joke as most all of these laptops
are Windows OS with only a logon password which is easily bypassed.
This is somehow supposed to make the public have a warm fuzzy feeling
that their data is safe.  Once in a while we hear that the data is
encrypted and password or pass-phrase protected.  Someone had commented
previously that at least some of the current disclosure laws don't
require notification if the data is encrypted.  I'm curious as to how
many incidents of data loss are occurring but not reported because the
data is encrypted?

Speaking of encrypting personal information, has this technology not
been taught in college, or banned from use by anyone outside of the DOD?
Most all of these incidents of data loss could have been mitigated by
just simple encryption.  Encryption is both easy and cheap; actually it
can be had for free.  Laptops are a target for thieves, this is not
going to change although one can surely reduce the chance of theft by
teaching employees some user awareness but it won't be eliminated.  

I'm personally a fan of PGP Desk, all of my client data is saved on a
PGP encrypted partition and all emails that even hint of sensitive data
are encrypted.  Most Non Disclosure Agreements require me as consultant
to protect client data, using anything short of a reliable encryption
scheme would put my client data at risk and leave my butt hanging in the
wind.  I would not be happy if my laptop was stolen or lost but at least
I could state with confidence that the client data was very secure.
Other than the NSA or like entities I don't know of anyone that would
even have a chance of breaking the encryption.

It's obvious in many of these data loss incidents that an encryption
policy was not in place or not followed.  Roughly two-thirds of the
states have a disclosure laws but that does not mean they are always
followed and then there is the government side.  Does anyone know the
disclosure laws for government?  Does anyone have an idea of the
percentage of data loss that is not-disclosed?

Bruce Forestal, CISSP
AmbironTrustwave


-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of security curmudgeon
Sent: Wednesday, November 08, 2006 1:24 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] followup: ACS Breach Warning Letter

And now my own comments.

: [Customer Name]						[Bar
Code]
: [Customer Address]					[Number]

The number below the bar code is 8 digits, starting with 0065. Not sure
if 
this is an indication of how many affected, a tracking number, or 
something else.

: This letter is to inform you of an incident involving the theft of a 
: computer that may contain your personal information.  A 
: password-protected computer was stolen from a secure facility operated

: by ACS State and Local Solutions, Inc. on behalf of the Colorado State

: Directory of New Hires (SDNH). Employers are required by law to report

: information to the SDNH regarding newly hired employees.

First, we know password protected computers mean absolutely nothing. 
Yanking a drive and mirroring content is trivial for even moderately 
skilled computer users.

Second, ACS needs to look up the definition of secure.

   1. To make safe; to relieve from apprehensions of, or
      exposure to, danger; to guard; to protect.

So this should be worded "relatively" secure or "formerly" secure.

: ACS takes the protection of your personal information very seriously.
We 
: have established a toll-free number to assit with any questions. This 
: number is 1-800-350-0399. We regret this incident occured.

So seriously, this line is not answered outside of standard business
hours 
and asks that you call back then.

: Very truly yours,
: 
: [scribble]
: 
: ACS Representative

The signature doesn't look like 'ACS Representative', so who's name is 
this and why wasn't it printed? No one stepping up to be accountable for

questions?
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 140 million compromised records in 465 incidents over
6 years.

More information about the Dataloss mailing list