By Casey Mayville
Sept 30, 2008
"Fall Out." That was the term used by the shipping company when
Dormitory Authority's back-up tapes went missing. On the trip from the
Albany headquarters of this New York based construction organization, to
their data center in New York City, the tapes literally had fallen out
of their yellow mailing envelope. The tapes contained personal private
or sensitive information (PPSI) of over 600 employees and approximately
3,000 vendors. The shipping company needed five days to conduct a formal
search to determine if the tapes were in fact lost, or just misplaced.
In the mean time, Dormitory Authority's compliance officer Michael
Springer was faced with a dilemma: Do we alert our vendors and employees
that there has been a security breach or wait five days to make the
decision? Within two days time, senior management decided to meet and
exceed all disclosure requirements. "If there [are] time requirements,
we're going to beat them. If there's criteria laid out, we're going to
exceed it. We want to be forthright and very responsible for this entire
situation," said Springer. And so began the disclosure process.
The first step was to determine exactly what kind of information was on
the tapes and who it would affect. The five tapes were nightly back-ups
of various systems. The two most critical systems housed the financial
management application and the employee time-keeping application. Both
of these applications contained PPSI -- and neither were encrypted.
Social security numbers and tax ID numbers of thousands of vendors and
hundreds of employees were now compromised.
The organization then notified New York's Office of Cyber Security and
Critical Infrastructure Coordination (CSCIC), the Attorney General and
the state's Consumer Protection Board of the situation.
Register now for HITBSecConf2008 - Malaysia! With
a new triple-track conference featuring 4 keynote
speakers and over 35 international experts, this
is the largest network security event in Asia and
the Middle East!