DOT Victim of Computer Theft

from eWeek

The US Department of Transportation has announced that a laptop computer containing names, addresses and social security numbers of 133,000 Florida residents was stolen two weeks ago.

According to a letter sent to Congress on August 9, the theft of the laptop happened on July 27 in Doral, Fla., a suburb of Miami. The theft was reported to the DOT Inspector General on July 31.

The information on the missing laptop included people in Miami-Dade County who hold commercial drivers licenses, Florida residents who have pilot’s licenses and people who got their Florida drivers licenses from a facility in Largo, Fla.

David Barnes, communications director for the office of the inspector general at DOT, told eWEEK that the agency is looking for a Dell Latitude model C640 computer.

“Our laptops are routinely encrypted,” Barnes said. “When we issue them we migrate data from the desktop and it’s automatically sent to an encrypted folder or directory.”

Barnes said that this is where users routinely store information. This time, unfortunately, the information was not encrypted.

“What happened is that we were upgrading our systems, but in order to push the update through the system they had to decrypt the data,” Barnes said.

Barnes noted that even though the data is not encrypted, it is still password protected, and he said that the protection meets NIST standards.

Barnes also said that his office, which conducts audits for the DOT as well as computer security and criminal investigations, has agents going through the backups of the laptop’s hard disk to determine what was actually on the machine. “We’ve found four databases,” he said.

The theft happened when a government-owned SUV was broken into while the agent driving it was at lunch.

Barnes said that what the investigator told him is that he had the laptop with him as he attended meetings in the Miami area. He then went to lunch after parking and storing the laptop in the back of the SUV.

The agent noticed that the laptop was missing later in the day, Barnes said. Investigators from the OIG found evidence of tampering with the passenger side door lock a few days later.

“That was when they filed a report with the police,” Barnes said.

Barnes said that the agency is offering a $10,000 reward for the return of the laptop computer. He asked anyone who might have information to call 800-424-9071 and mentioned that this information can also be sent via the Web site at oig.dot.gov.

Data breaches like this will continue to occur, said Bruce Brody. Brody, who is vice president of information security at Input, a market research and consulting company in Reston, Va., said that these issues are the signs of a larger problem and have a lot to do with the culture of an organization.

Brody, who is the former chief of information security at the Department of Veterans Affairs and at the Department of Energy, said that the problem is really that managers are not being held accountable for security in their organizations.

“It’s a culture of decentralization and decentralized approaches to information security,” Brody said. “There is no person who has the central authority and power to enforce procedures and practices across the organization.”