Have I mentioned how valuable it is when states post breach notices online? A reader points me to a new addition to California’s security notices page from the DOJ’s Computer and Technology Crime High-Tech Response Team (C.A.T.C.H.). The incident they are reporting was a hack by those affiliated with Anonymous in 2011:
In November 2011, hackers affiliated with the group Anonymous accessed and released private email accounts belonging to a retired agent for the Department of Justice who was a member of the Computer and Technology Crime High-Tech Response Team (CATCH). CATCH is a multi-agency task force that was formed to apprehend and prosecute criminals who use technology to prey on the citizens of San Diego, Imperial Valley, and Riverside Counties. Some of emails that the hackers released included data that contained your personal information including, but not limited to, your name, address, date of birth, and Social Security number (SSN).
Others received a letter that began:
In November 2011, hackers affiliated with the group Anonymous accessed and released private email accounts belonging to a retired agent from the Department of Justice who was a member of the Computer and Technology Crime High-Tech Response Team (CATCH). CATCH is a multi-agency task force that was formed to apprehend and prosecute all criminals who use technology to prey on the citizens of San Diego, Imperial Valley, and Riverside Counties. Some of the emails the hackers released included closed identity theft case files that contained some of your personal information including, but not limited to, your name, financial account information or credit card number, and possibly your Social Security number.
The letter to those in the second group also contained the following statement:
In addition, although it appears that the identity theft case file in which your information was contained has been closed, you may want to confirm that your financial account has been closed. If it has not, we suggest that you immediately contact the financial institution and close your account. Tell them that your account may have been compromised, and ask that they report it as “closed at customer request.” If you want to open a new account, ask them to give you a PIN or password. This will help control access to the account.
No explanation was provided as to why there was such a delay between the incident and the notification letters to individuals. Did they delay because it took them time to figure out who had data exposed? Did they delay so that the disclosure would not interfere with any criminal investigation? If people’s accounts were exposed, I hope they contacted them all promptly by phone if not by letter.
Keep in mind that entities only have to file these breach reports with California if the breach affected more than 500 individuals.
So, if I’m understanding this correctly, someone from law enforcement, involved in the investigation of computer crimes, kept copies of official information in a private email account? If anyone should be able to understand the controls required to secure information, shouldn’t it have been the retired agent?
That’s what I’m wondering, too, but I never dl the torrent to see what was in it.