WCCO reports, and thanks to Jon P for the tip.

It’s reported that the data doesn’t appear to have been compromised. A major, major bullet dodged!

On that unencrypted device? 3,300,000 names, addresses, Social Security numbers, and other personal data on borrowers. Over three million college students breached, one single device, no real security.

Officials say it was “a simple, old-fashioned theft” and “not a hacker incident.” Of course that’s of almost no consolation.

The list continues to grow. And of course, had the device been encrypted with patent-pending and NIST FIPS Level 2 certified MyLaptopGPS strong encryption, or any other decent encryption, there would be no issue here.

But what is curious is that the laptop “had safeguards to protect sensitive information, including strong password protection and encryption.” Even still, the company is offering free credit monitoring.

No report of the number of victims has been given.

The response to the “breach” makes one wonder if there’s more to the story. Was the encryption not properly applied (very common)? Did the employee tape a handwritten plain-text passphrase note onto the palm rest (it happens–that’s why MyLaptopGPS offers Remote Decryption Kill)? Tough to say, and it’s all speculation. Something just seems odd about the reports and the response.

We will have to see if it shows up on the HHS Hall of Shame or not.

The days of “a lump of coal in the stocking” are certainly over.

The HITECH Act of 2009, one intent of which was to add more teeth to data security requirements for healthcare information, included a provision in section 13402(e)(4) requiring the Secretary of the U.S. Department of Health and Human Services to post a list of data breaches of unsecured protected health information affecting 500 or more individuals.

We might call these the “mega-breaches” or, that is, at least the serious breaches that affect many people.

A couple of important details are worth noting, about the HITECH Act of 2009. First, if a breach affects fewer than 500 people in one state, a breaching organization does not have to contact the media (though one of the victims certainly might). The organization does have to contact each breached individual, however, to notify of the breach. Second, the rules apply to unencrypted PHI. Encrypting the data, as always, is mitigation of the risk and turns a “breach” into a “non-event.”

Encrypting data, such as with MyLaptopGPS’ FIPS-certified strong encryption for data-at-rest, is the key difference between a major PR disaster (and regulatory nightmare), and a sigh of relief.

And now for The Bad List (click to view at HHS’ website).

Fox News reports on the RollCall.com article (thanks to lyger for the tip). Apparently, the hard drive had been sent to NARA during the Clinton administration and contained Personally Identifying Information (PII), including Social Security Numbers, for about 250,000 visitors and Clinton staff members–including the Social Security Number of one of Al Gore’s daughters.

The breach letters are going out, the damage is building, and must be reminded that a little encryption goes a long way…

News Channel 3 reports that a Goodwill spokesman stated, “Basically it would be impossible for an individual to even know what to do with that data or even how to open it up.”

While this is most likely quite untrue, as always it’s likely that the thief himself is clueless. Those downstream? Certainly not. In any case, it’s the same old mantra with respect to “hopefully nobody will pilfer anybody’s identity” with the data, rather than any actual security in place. It’s pretty hard to fault the Goodwill much, though, as budgets are surely tight and security measures at even more “advanced” businesses tend to be equally dismal.

As for the thief: breaking into the Goodwill? Seriously? That’s low. Let’s be doubly eager for an arrest here.

Thanks go to kirniki at DataLossDB for the tip.

For a recap of this year’s MyLaptopGPS Rip of the Week column, view that index here.

Additionally, Redemtech has posted an excellent chronology of this year’s data breaches–highly worth a look.

While I can’t say it’s “been a good year” where data security is concerned, I can say that it seems that more and more organizations are waking up. Usually they wake up only by “force,” reacting to a big breach, but they’re awakening nonetheless.

Here’s hoping 2010 is safer than 2009.

Newsday.com reports on the theft of 2,246 Bernie Madoff victims’ PII thanks to an unsecured laptop computer belonging to AlixPartners LLP, the consulting firm that had been processing the victims’ claims. To be clear, then:

1. Victims lose their life savings (thankfully not in all cases) due to one of the most egregious cases of fraud by an individual in history.
2. Victims hope to receive some restitution, even minimally.
3. Firm chosen to assist by processing claims fails to protect PII on its own laptops.
4. Firm experiences the same thing 2.6 million others did last year: laptop theft.
5. Firm claims information was “password protected” (sound familiar?). That is, the data is wide open.
6. Firm delays two months before notifying the victim-victims.

Obviously it’s doubly sad that victims experienced double jeopardy. And it’s made worse by the fact that this story is just like almost every other one, including the response by AlixPartners that “the information was password protected” and “[they] have no reason to believe it has been compromised.”

I must admit that I did a double-take when I read the spokesman’s statement, however:

“The names, addresses, Social Security numbers and some Madoff account information on 2,246 investors was contained in a computer stolen from the car of an employee of AlixPartners Llp, the consulting firm that has been processing victims’ claims in the Ponzi scheme, a company spokesman, Tim Yost, said Tuesday.”

That’s right: his name is Yost. And no, we are not related, by anything more than a common appreciation for laptop theft and its consequences, which one of us learned the hard way.

As a result, “hundreds” of former students and faculty members may be at risk for identity theft, since the machines contained the typical slew of names, addresses, and Social Security Numbers.

No encryption. No tracking (presumably). No remote data deletion. No hope for protection at this point, essentially.

It sounds like this thief made off with a pretty stout take, however–14 units to sell or dig for PII. Our thanks go to Redemtech for the initial alert.

This time, the BBC reports that a laptop containing a trove of Personally Identifying Information (PII) of members of six pension schemes in the UK was stolen from software company NorthgateArinso. The breach victims include members of:

1. Social Housing
2. SSHA
3. Independent Schools
4. Flexible Retirement Plan
5. Growth Plan (Series 1, 2 & 3)
6. Unified Ethical Plan

Here’s an eerily familiar statement:

“The data was protected by a password and was ‘not easily accessible’ said the Pensions Trust, which said it was sorry the laptop had been stolen. However the data, which was not encrypted, included names, addresses, dates of birth, employer, national insurance numbers, salary details and, in the case of those receiving their pensions, their bank details too. “

As we’ve seen recently in Oklahoma, “not easily accessible” is a very relative phrase. The data wasn’t encrypted. Now it’s out there. And, there’s no sign of tracking software in the mix.

Same song, 109,000th verse.