Laptop theft exposes teachers to ID fraud risk

About 40,000 Chicago Public Schools employees are at risk of identity fraud after two laptops containing their personal information were stolen on Friday.

The computers were taken from the CPS headquarters, the organization said in a statement. The laptops belong to accounting firm McGladrey and Pullen and its subcontractor, who were reviewing contributions to the Chicago Teacher Pension Fund, according to the statement.

The computers contain the names and Social Security numbers of employees who contributed to the pension fund between 2003 and 2006, the CPS said. The data does not include addresses, dates of birth or any other personal information, it said.

A CPS official on Monday said the laptops had not yet been recovered. The official couldn't say if there are any indications that the hardware was stolen for the information that's on the machines, or because laptops are expensive, portable items that could be easy to steal.

A subject in the laptop theft has been identified, CPS said. Surveillance video was released to the media and a $10,000 reward offered for information leading to the arrest of the perpetrator or recovery of the stolen data.

There has been a string of data breaches in recent years, many of which were reported publicly because of new disclosure laws. Last week the University of California at San Francisco said a possible computer security breach may have put 46,000 campus and medical center faculty, staff and students at risk of identity fraud.

In 2005, UC Berkeley warned more than 98,000 people that the theft of a laptop from its graduate school admissions office exposed their personal information. That laptop was later recovered.

Since early 2005, more than 150 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse.

Identity fraud continues to top the complaints reported to the Federal Trade Commission. Such complaints, which include credit card fraud, bank fraud, as well as phone and utilities fraud, accounted for 36 percent of the total 674,354 complaints submitted to the FTC and its external data contributors in 2006.

CPS will pay for one year of credit protection for any current or former employee affected by the theft, it said.

[danielwsmithee]

Madness

This is madness. It is not that hard to protect data like this. 1) Don't put it on a laptop unless absolutely necessary. 2) Encryption it is not that hard, especially when most current operating systems have it built in FileVault & BitLocker.

[Stating]

The Only Way To Get A Stolen Laptop Recovered...

It seems like the only way to get a stolen laptop recovered is by having it contain Social Insecurity Numbers. If you or I have our laptop stolen, nobody cares and you will never see it again. If the same laptop causes a massive security breach, it will turn up in 48 hours. Perhaps we could claim that Osama stole a laptop containing 40,000 SSNs. I'll bet we find him fast...

[county23]

Laptop Thefts

What in the hell is going on with these SHORT SIGHTED people and companies?
Are their IT Departments so short sighted?
The answer is YES!
I work for a Medical Device company who's Sales Reps use laptops and they also USED to keep that kind of info on them, because NOBODY here wanted to deal with it, I tried talking to upper management but it fell on deaf ears until California put in it's privacy laws,
Then they did a band-aid approach to the problem,
3yrs later, and the stolen VA Laptop making the headlines, on of our VP's pulled his head out of the dirt and insisted we do something to protect our laptops from ID-Data theft..
FINALLY! We are now loading PointSec on the laptops, which gives us full disk enryption,
It may not totally fool proof, but it's a start and better than nothing...
Personally, I don't understand why any laptop needs to carry thousands of personal data like that,
I think companies who are this careless with personal information should be held responsible, and not just offer 1 yr of free credit monitoring.
Thats my 2 cents

[Dalkorian]

+1

County23 offered this comment:

"I think companies who are this careless with personal
information should be held responsible, and not just offer 1 yr
of free credit monitoring."

I couldn't agree more. Where did this concept of "1 year of free
credit monitoring" come from anyway? What moron thinks that
this data will be useless in exactly 365 days?

Companies this careless with their data (and yes, this includes
our govenment as well) should be *FORCED* to pay for credit
monitoring to everyone who might be exposed FOR THE REST OF
THE VICTIM'S LIVES!

That might get a companies attention.

[wbenton]

Dumb... dumber... dumbest!!!

#1. Require mandatory hard disk encryption (not Microsoft's OS encryption).
#2. Require strong BIOS passwords with strong disk encryption unlock password.
#3. Cable ALL PC's not just lap tops to the physical desk so that they CANNOT be removed. (And with #1 above, even if they were to remove the physical disk... it would not be usable in another PC).
#4. Mandatorily require that ALL such data be stored on the server's hard disk and never stored locally. Also ensure that access to the server is severely restricted to those essentially required personnel ONLY.
#5. Ensure Security Policies are modified as required to stay up to date with the latest practices and that everybody is following them as they were written.
#6. Disallow removable media from be inserted in any machine except for specially approved encrypted memory sticks, etc.
#7. Ensure tape backups of the data are encrypted.
#8. Employee somebody who understands and can ensure the rest of company complies with Steps #1-7!

Walt

[Schratboy]

Common sense

All of what you say is prudent but getting execs and users to adopt this policy is impossible. The leadership usually exempt themselves thereby setting a bad precident, thus undermining an effective security culture. At the very least creating an encrypted container for sensitive information should be mandatory on any school system.

[walleyek]

These laptops WERE encrypted...

Turns out M&P believed the data was encrypted. This spells INSIDE JOB. I agree that "encryption is necessary, but not necessarily sufficent". These machines need to be equipped with kill pill capabilities to whack the data when stolen. How embarrassing for M&P -- especially since they offer a "Data Security" practice. Talk about eating the ironically-flavored dog food!