[ISN] CPA group says hard drive with data on 330, 000 members missing

InfoSec News isn at c4i.org
Fri Jun 9 12:43:20 EDT 2006


By Jaikumar Vijayan
June 07, 2006

Adding to the lengthening list of organizations reporting data
compromises, the American Institute of Certified Public Accountants
(AICPA) today confirmed that a computer hard drive containing the
unencrypted names, addresses and Social Security numbers of nearly all
of its 330,000 members has been missing since February.

The hard drive had been accidentally damaged by an AICPA employee and
was sent out for repair to an external data-recovery service in
violation of the AICPA's policies, said Joel Allegretti, a spokesman
for the New York-based organization. It was on its way back to the
AICPA via FedEx but failed to arrive. Allegretti did not say when
exactly the drive went missing except to note that the package
containing it was due back at the AICPA "toward the end of February."

It took the organization until March 31 to "re-create the drive" and
determine what data it contained. The AICPA began notifying affected
members of the potential compromise of their personal data on May 8
and has since completed the task, Allegretti said.

Jim McClusky, a spokesman for FedEx Corp., said it is unclear what
exactly happened to the drive. But he stressed that it is a mistake to
characterize the package as being lost.

"We did handle the shipment, and we are working closely and
cooperatively with our customer to determine where the package might
be," he said. "It is still being investigated. At this point, we are
looking at it as a missing shipment; that doesn't mean it's lost."

Based on investigations so far, it does not appear that information on
the hard drive has been misused, Allegretti said.

Following the loss, the AICPA is offering affected members a year's
worth of free credit-monitoring services. The incident has also
prompted the group to begin deleting all Social Security numbers from
its member database.

While a note posted on the organization's Web site says the collection
of Social Security numbers has been a long-standing procedure, it
added that "we will cease collecting and maintaining them, except in
limited circumstances. And even for those, we are accelerating our
efforts to develop other means of uniquely identifying our members."

News of the AICPA breach comes amid a flurry of similar disclosures in
recent days. By far, the biggest was the May 22 disclosure by the U.S.  
Department of Veterans Affairs that it had lost personal data on more
than 26.5 million veterans discharged since 1975. Since then, the
agency has admitted that the breach may have exposed personal
information on about 2.2 million active-duty National Guard and
Reserve troops as well (see "Personal info on 2.2M troops part of VA
data theft" [1]).

Since then, there have been similar disclosures elsewhere, including
Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based
nonprofit organization. TG said that an outside contractor lost an
unspecified piece of equipment containing the names and Social
Security numbers of approximately 1.3 million borrowers.

On May 26, Sacred Heart University in Fairfield, Conn., announced that
one of its computers had been hacked into, resulting in the potential
compromise of data belonging to 135,000 alumni and would-be students.  
And earlier this month, a password-protected laptop containing credit
card information on more than a quarter-million Hotels.com LP
customers was stolen from the car of an auditor at Ernst & Young LLP.

[1] http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000992

More information about the ISN mailing list