The state Department of Consumer Affairs has sent letters to 5,000 employees, contractors and board members warning them of a security breach that has compromised their names and social security numbers.
The breach occurred on June 5 or 6 when a Microsoft Word document was improperly transmitted electronically outside of the department, said DCA spokesman Russ Heimerich. The document also contained the salaries and titles of everyone on the list, but Heimerich noted that this is public information.
"The thing that is troubling to us is that information was coupled with their social security numbers," Heimerich said.
The danger in disclosing a social security number is that it can be used to set up new credit cards, loans or purchases in someone's name. However, a thief would generally need other information that was not included and could be harder to get, such as addresses, phone numbers and driver's license numbers.
Paul Stephens, policy director with the San Diego-based Privacy Rights Clearinghouse, said that social security numbers can be a huge worry when combined with other information. He urged those affected to act immediately to put a fraud watch on their accounts with credit monitoring services.
"The fact of the matter is that a lot of the other information that may not on there, such as addresses and phone number could be obtained by other means," Stephens said.
The DCA is the main state agency charged with protecting consumers in California. From 2003 to 2007, it also housed the office charged with educating consumers and businesses about identity theft and fraud.
Heimerich said the incident is still being investigated, and that he could not disclose who had received the document. He said that so far there is no evidence that any information has been used. It was not even clear the recipient had opened the document.
"We know that it left the building and that it wound up somewhere it shouldn't have wound up," Heimerich. "We're looking into how that happened."
The breach was discovered on Monday, June 9, Heimerich said. People whose names were on the list were sent an email the next day and an official letter a week later. The letter warned them to keep an eye on their credit reports and advised them to call the police if they see anything suspicious. It also included contact information for the three main credit reporting agencies, Experian, Equifax and TransUnion.
Heimerich said the DCA will pay for a year of free credit reports and provide fraud insurance of up to $25,000 for everyone on the list. He said the DCA had not yet determined how much these protections were going to cost.
About 2,800 of the people on the list are current, full-time employees of the DCA. The document also included some former employees and numerous contractors, such as people who proctor state job examinations. The rest of the names were employees and board members of the 56 professional boards and bureaus administered by the DCA, such as the Bureau of Automotive Repair and the Medical Board.
One agency whose employees were not on the list is the California Office of Privacy Protection (OPP). That agency moved under the State and Consumer Services Agency, effective January 1, as part of a reorganization designed to improve the state's technology infrastructure. They are still headquartered in the same Sacramento office as the DCA, but only one of their nine employees was listed on the compromised document.
OPP has been advising DCA and its employees on how to guard against identity theft, said OPP chief Joanne McNabb. She said the DCA has been very fast and proactive in dealing with the breach.
"The Department of Consumer Affairs has been very true to its consumer mission in reacting to this for their own employees," McNabb said.
One DCA employee who asked not to be named cited another security breach in March 2006. In that case, physical mail was stolen from the DCA offices on Howe Avenue. This prompted fraud warnings for licensees of 10 professional boards, including the Medical Board of California.
"I want to know, what procedures did they change in 2006 and why did those fail in 2008," the employee said, adding, "They assured the employees at the time they had fixed all the breach possibilities."
But security expert David Scott said that breaches based on human error, as the current incident appeared to be, can be very hard to stop. Scott has advised companies and government agencies on security for 20 years, and has written a book on the subject, "IT Wars." One key, he said, it to thoroughly train employees on how to avoid making these types of mistakes.
"Everyone really needs to be a mini security officer these days," Scott said. "There is no technical system that can overcome laxity or ignorance."