Towards Employment — a non-profit organization in Cleveland, Ohio that helps people find jobs — has announced that a laptop with names and SSNs of 26,000 people was stolen last month. It appears that full disk encryption like AlertBoot was not used to secure the data. The breach affects 260,000 people.
Data Spans 36 Years
According to a commentator at cleveland.com, Towards Employment has offered
job-placement services to low-income people since 1976 and to former convicts since 2004. So, over the past 36 years, it has helped more than 100,000 people. Of those, about 26,000 had their social security numbers, names and addresses in the database.
It was noted that the laptop was password protected, but that “it is possible that someone could still gain access to the personal information.” The word “possible” here is an understatement. It’s not “possible” as in “a one in a million chance is still a possibility.” Rather, “possible” denotes “ease” as in “it’s possible to substitute the mashed potato with grilled vegetables.”
As I remark quite often, password protection is a misnomer and anything but. They should rename it password faux-tection or something along those lines.
Towards Employment has made some internal changes in light of the laptop theft. First, it’s not collecting Social Security numbers anymore. Second, it purged the SSNs already collected, substituting them with the last four digits of the SSN. Well, I think the records were purged, and I certainly hope that my assumption holds up. Otherwise, there’s always the possibility for the non-profit to experience another breach of sensitive, personal data.
Data Security: Why After the Fact?
The story of an agency having a data breach, non-profit or otherwise, is not news. Neither is the fact that they step up their security after they suffer a data breach (as if that’ll somehow magically wipe the SSNs held by potentially criminal third parties).
Now, I can understand this at a certain level: sometimes it takes a massive amount of negative publicity to secure funds. But, in this particular case even that doesn’t make sense. As far as I can tell, the agency decided to stop collecting information, as opposed to upgrading their data security by employing encryption software for laptops.
(Plus, I’m not sure I understand why they stopped collecting SSNs but decided to truncate existing ones. Wouldn’t it also make sense to wipe that data completely?)
Not collecting data is a perfectly good way of protecting oneself against a data breach. But why wait until you have a breach?