From: InfoSec News (alertsinfosecnews.org)
Date: Tue Mar 13 2007 - 01:28:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.scrippsnews.com/node/20094

By MICHAEL DOYLE
March 12, 2007

Agriculture Department computers stolen in Stockton and Yuba City,
Calif., could contain sensitive information about Central Valley
farmers, federal investigators warn.

The seven computers stolen from the Valley offices over the past several
years also reflect a larger problem, investigators believe. Officials
didn't notify farmers whose personal information might have been
compromised at the time of the thefts, nor did they have in place
necessary safeguards.

"As a result," the investigators cautioned, "personally identifiable
information of USDA customers and employees may have been lost and is at
risk for improper use."

Lost and stolen computers have become a perennial problem for many
federal agencies, and potentially pose risks to both privacy and
national security. Census Bureau officials, nuclear weapon scientists at
Los Alamos National Laboratory in New Mexico and analysts at the Energy
Department's Office of Intelligence have all misplaced laptops, discs or
other computer equipment in recent years, previous investigations found.

The losses have prompted the Bush administration to step up its
scrutiny, prompting the latest audit by the Agriculture Department's
Office of Inspector General. Agriculture Department officials have
accepted the criticisms and say they are making improvements.

In July, the Agriculture Department reported to Congress that officials
had found only eight incidents where private information might have been
compromised by the loss of equipment since 2003. But when the Office of
Inspector General looked more closely, the investigators found the
Agriculture Department's initial report was "not accurate."

A total of 95 Agriculture Department computers were stolen between Oct.
1, 2005 and May 31, 2006. In at least nine cases, officials acknowledged
that the computers included names, addresses, Social Security numbers
and payment information for individual farmers. These nine cases were in
addition to the eight previously reported by the Agriculture Department.

"The true number of incidents might not be known," investigators added,
because agencies "were not tracking, reporting or following up on stolen
computer equipment."

The stolen computers identified by investigators included six taken from
Yuba City and four taken from Stockton. The Agriculture Department
maintains offices in both cities to administer programs for farmers
throughout the Valley.

"Farmers, like any business owner, would not want their private
information out in the public," Julia Berry, executive director of the
Madera County Farm Bureau, noted Monday.

Berry added, though, that she had not heard specific concerns raised by
local farmers about losing sensitive Agriculture Department information.

"There is always a concern about rural mail theft, and identify theft,"
added Liz Hudson, outreach director for the Fresno County Farm Bureau,
"but this is the first I've heard of the (Agriculture Department)
computer thefts."

The new audit does not specify exactly what information might have been
on the stolen California computers. Other offices suffered even greater
losses, including the Agriculture Department office in Tangent, Ore.,
from which 23 computers were stolen.

Nationwide, the investigators found that:

* Two-thirds of the stolen Agriculture Department computers lacked
  encryption, which means anyone could look at the stored information.
  Since June, the Bush administration has required that all sensitive
  information be encrypted.

* In more than half of the cases, users of the stolen computers weren't
  aware whether the Agriculture Department followed up on whether
  private or sensitive information had been lost. Since June, federal
  agencies have been required to conduct the follow-up assessments.

* More than 2,000 files containing private, sensitive information about
  farmers were found on computers still located at the Agriculture
  Department sites visited by investigators. Agency officials attributed
  this to a programming error, which has since been corrected so that
  the private information is retained only on central databases

Agriculture Department officials expect to complete purchasing an
encryption package by the end of March.

_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]