First California, now New York lets pensioner info slip

Computerworld - The past few days have turned out to be a tad unlucky for some retirees.

First, California's state pension fund office admitted to accidentally printing out Social Security numbers (SSNs) in the address pane of brochures it mailed out to some 485,000 retirees.

Now, a laptop thought to contain SSNs and other personal data on 280,000 New York pensioners has been stolen. The laptop belonged to a consultant working at the city's Financial Information Services Agency (FISA) and was taken Monday evening from a restaurant in which he was dining.

"The consultant hired by FISA had access to personal information of members of the city's various pension systems," Jason Post, a City Hall spokesman, said via e-mail. "We believe that the stolen laptop contained some files with personal information in them, but it is unclear how much," Post said.

FISA is a technology services provider for the city.

"It is important to note we know for a fact that only some of the 280,000 retirees' information could have been on that laptop," Post said. "We just don't know which subset of that universe," might have been affected by the theft, he said. As a result, the city is moving to notify all 280,000 pensioners of the breach and its potential impact on them, Post said. The data on the laptop may have been encrypted, but officials could not confirm that for sure.

The New York laptop incident is the second one in recent days to involve personal data belonging to retirees. Just last week, the California Public Employees' Retirement System inadvertently printed SSNs on brochures about an upcoming election that were mailed to about 445,000 state retirees.

The privacy breach happened after an employee inadvertently sent a disk containing the numbers to the printer responsible for the brochures. The disk was only supposed to contain the names and addresses of the individuals on the mailing list.

That error prompted several changes at the agency, including new security awareness training for employees and a new process that involves sign-offs from three individuals before personal information can be released.

Read more about security in Computerworld's Security Knowledge Center.