According to The Associated Press, 15K New York City transit workers social security numbers and other personal information leaked and found on a CD inside a refurbished CD drive sold by a retailer.Metropolitan Transportation Authority Chief Information Officer Sidney Gellineau said, "While we do not suspect nor have seen any evidence of misuse of the data, every precaution is being taken to ensure that this is the case."
The MTA said an investigation is underway "to determine the cause of this security breach." A complaint also has been filed with the New York Police Department, an NYPD spokesman did not immediately comment.
The Transit Authority said a customer of an unnamed major retailer purchased a refurbished CD drive for her personal use. That customer discovered the drive contained a CD that had a list of about 15,000 active, retired, deceased and former New York City Transit employees, along with certain personal information including Social Security numbers, dates of birth, earnings information and other data.
The list includes employees holding positions in various titles, and levels throughout the organization, the customer who bought the computer turned out to be an employee of a vendor that works with the Transit Authority.
Beth Diamond, a global claims leader at the insurance company Beazley, said it's entirely possible that the exposure of the personal information resulted from an act of carelessness.
She noted that companies and other entities often donate old equipment to nonprofits, who then may in turn sell the equipment to retailers if they don't have a use for it. The disc could have accidentally been left inside when that happened.
Employees also will sometimes look for old equipment at their workplaces that they can steal and resell. And it's possible that a MTA employee copied some data for work-at-home purposes, forgot about the CD and then sold the drive with it inside.
But even in cases where the data is lost and not stolen, disaster can occur. Diamond said there have been cases where businesses such as real estate offices closed down and didn't properly dispose of their clients' personal information, which was then found by criminals.
"If the wrong individuals stumble upon it, they can realize that it can be a gold mine," she said.
In order to prevent accidental breaches, Diamond said many companies put restrictions on employee computers that prevent them from copying files to take home. But no matter how many precautions are taken, breaches caused by human error are inevitable, she said.
The MTA letter noted that the placement of unencrypted personal information on a CD was a violation of its policy. "We are not aware of any other such violation of the policy."
No comments:
Post a Comment