The Washington Post recently reported that an employee in the National Finance Center sent an Excel spreadsheet of employees’ personal information to a coworker in an unencrypted email. The Commerce Department sent a letter to all affected employees notifying them that there had been a breach, and is working to set up identity theft monitoring for the employees.
The National Finance Center is a part of the Agriculture Department that deals with payroll and personnel matters for the Commerce Department and some other government agencies, and the spreadsheet contained the names and Social Security numbers of at least 27,000 Commerce Department employees. According to the report, the employee informed supervisors of the mistake almost immediately, and there’s been no indication that it has resulted in any cases of identity theft.
Something of a non-story since no damage occurred? Actually, it raises some interesting points.
- The employee knew enough to report the incident immediately to his/her supervisors. I don’t know whether or not incident reponse is covered in the security awareness training that the National Finance Center provides, but this is definitely a valuable reminder to the rest of us that it should be.
- It’s a case where the information never left the organization that was responsible for looking after it, but it was still considered to be a notifiable data breach. I’m sure that this kind of thing happens more often than we’d like to think in business and government, but how many organizations would consider this to be a data breach? And, even if an organization’s management knows this, does the organization’s staff?
Have you covered this in your security awareness training?