News

D.C. Workers' Stolen Data Lacked Security, Encryption


A laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees has been stolen, officials said.

The computer was stolen Monday from the Washington home of an employee of ING U.S. Financial Services, said officials with the company, which administers the district's retirement plan.

The company did not notify city employees of the theft until late Friday because it took officials several days to determine what information was stored on the laptop, ING spokeswoman Caroline Campbell said.

The laptop was not password-protected and the data was not encrypted, Campbell said.

The company said it was working with district police and had hired a private investigator. Police would not confirm the theft Saturday.

City officials said they were disturbed about how the data was stored and that the company waited to report the theft.

"We are concerned that this information was being managed without protection," said Mary Ann Young, spokeswoman for the city's chief financial officer.

She said the district expects details about the incident from ING this week.

The company has sent letters to all affected employees warning them of the possibility of identity theft. ING also will set up and pay for a year of credit monitoring and identity fraud protection, Campbell said.

"For us, this is very unfortunate," she said. "But we're moving forward, we're very focused and committed to find any other laptops that don't have encryption software and to fix that. This incident revealed a gap."

Two other ING laptops containing information on 8,500 Florida hospital workers were stolen in December, but the employees were not notified until this week, said ING spokesman Chuck Eudy. Neither laptop was encrypted, he said.

Recently, the Department of Veterans Affairs recently lost data on 26.5 million veterans and military personnel stored on a laptop and external drive stolen from the suburban Washington home of a VA employee.

Security experts and some privacy groups say simple measures could protect data if a laptop falls into nefarious hands. They include encrypting the information so it's nearly impossible to access without the correct credentials.

"It is shocking how many of these are stolen laptops and that fact that the users of the laptops did not use encryption to secure the data," Beth Givens, director of the Privacy Rights Clearinghouse, said of recent data losses. "If thieves read the newspaper, they can readily figure out that they have got more than just a piece of hardware."

Since June 2005, there have been at least 29 known cases of misplaced or stolen laptops with data such as Social Security numbers, health records and addresses of millions of people, according to the Privacy Rights Clearing House, a San Diego-based nonprofit that tracks data thefts.

So far, there is no evidence the stolen data were used for identity theft or other nefarious purposes. In most cases, the laptop itself, not the personal information on it, was the likely target of the theft.

Sometimes, there's no good reason for why so much information is being kept on individual machines that are designed to be carried out of the office. In other cases, workers were allowed to have the data on the laptops but didn't follow proper procedures for keeping it safe. In others, they broke the rules by taking personal data out of the office or not protecting it with digital tools.

Laptops have been stolen from cars, gone missing when checked for airline flights, and been taken from offices and employee homes. Hospitals, universities, consulting firms, banks, health insurers and even a YMCA have lost personal data.

The portable computers are usually protected by passwords needed to boot them up, but the data on their drives are still accessible. Encryption, on the other hand, scrambles the information and would render it useless to a thief without a digital key that decrypts the data.

A variety of encryption tools are available, including software as well as specialized chips.

But many people are reluctant to use them because losing the key can make it hard to access the data and the programs can slow down data access, said Alan Paller, director of research at the SANS Institute, a computer-security organization in Bethesda.

That could change as computer manufacturers start selling laptops with encryption built in. Microsoft's Windows Vista operating system, due late this year for businesses and early next year for consumers, is expected to make it easier for users to encrypt all their data.

Many states now require companies and organizations that store personal information to inform the public when the data leaks. But those laws generally don't make reporting obligatory if the lost data were encrypted.

Some companies that have lost laptops are responding with better security measures.

Ernst & Young, which has 30,000 laptops used by its highly mobile staff of consultants, is encrypting all contents on the computers, according to company spokesman Charlie Perkins.

But in February, as the policy was being implemented, a laptop that hadn't been encrypted was stolen from an employee's car. With it went the names, addresses, and credit card information of about 243,000 customers of Ernst & Young client Hotels.com. Perkins said there is no evidence any of the data was misused.

"We evaluated our polices in this area across the board," he said. "Encryption is the most significant step."

Of course, security measures can only work if they are actually used. In several cases, laptops were lost or stolen when employees violated company rules by leaving them in parked cars or in their homes. And data that are supposed to be encrypted by an employee sometimes aren't.

On June 2, grocery retailer Royal Ahold NV said contractor Electronic Data Systems Corp. lost a laptop with personal information on an undisclosed number of retirees and former workers of Ahold companies, including grocery chains Stop & Shop and Giant Food.

The EDS worker was asked to check the laptop on a flight because the plane's storage bins were full, according to EDS spokesman Kevin Lightfoot. When the flight arrived, the laptop never reappeared. The employee was disciplined for violating company policy by checking the computer as luggage, Lightfoot said.

Since the incident, EDS has reminded its employees about rules on handling laptops.

"You have to work with your employees to make sure this information is protected," Lightfoot said.

In January, Ameriprise Financial, an investment advisory company, said the internal account identification numbers of 158,000 clients were lost when a laptop was stolen from an employee's car. The employee was supposed to have encrypted the data, which was on two files, but had not, according to Ameriprise spokesman Steven Connolly. The worker was fired.

The VA plans to recall every laptop to make sure the security programs are up to date. The data on the laptop taken from the suburban Washington home were in a form difficult for an outsider to use, and authorities believe thieves may have erased the information before selling the hardware.

But that doesn't satisfy August Woerner, an 80-year-old World War II veteran from Westerly, R.I. He received a letter from the VA saying his data may be on the laptop because of a claim he filed several years ago at a VA medical center.

Woerner takes every precaution he can to shield personal information -- he checks his credit rating online regularly, shreds financial documents and monitors the balance of his credit card nearly every day. Despite his diligence, he is convinced someone will steal his identity soon.

"I do the best I can, but I can't very well fight this theft," said Woerner. "That data should not be readily available by someone simply walking it out of a building."

Featured