[Dataloss] Baltimore State Hwy Administration employees exposed

rchick rchicker at etiolated.org
Sat Apr 26 02:02:34 UTC 2008 

SHA Personal Information Exposed Accidentally
April 25, 2008

BALTIMORE -- Sensitive personal information concerning 1,800 State
Highway Administration employees, including names and Social Security
numbers, was compromised last week, officials said.

"We had an incident where an employee transferred personnel
transaction data from a secure drive to a SHA shared drive," said SHA
Deputy Administrator of Finance and I.T. Normetha Goodrum.

An internal investigation found that the breach was done inadvertently
and not with criminal intent.

SHA said it is currently redacting Social Security numbers and will no
longer keep them in personnel files. They said that personnel
information will be password protected.

Officials said they're still checking to see if the information has
gone beyond the agency, but said they don't believe so. They sent
letters and e-mails to those potentially impacted, including SHA field
workers and former employees.

Computer security expert Avi Rubin of Johns Hopkins University said he
considers the internal data compromise serious and preventable.

"I think it is even more important for organizations to look into
encryption solutions so that when these things occur, somebody can
only find encrypted data and it won't do them any good," he said.

Security breaches of computer data have become a growing problem.
State law mandates that businesses keep consumer data and report when
it's lost or stolen. The state attorney general's office keeps track
of them.

So far this year, 64 companies have reported security breaches,
officials said. They said that hackers sometimes get it, and in some
cases, it's stolen out of employees' homes, cars or lockers.

"They can open bank accounts, take out a mortgages, establish a line
of credit all in your name, then skip town," Rubin said.

"We are taking it seriously, and we want to take every measure
possible so that it does not happen again," Goodrum said.

Computer experts said they are amazed that companies rarely do
security sweeps or preventive maintenance. Rubin said that most react
only after their information is compromised or breached.

More information about the Dataloss mailing list