NYPD faces ID theft risk after data stolen from pension fund

Computerworld - In a demonstration of how no organization is immune from insider threats, the New York City Police Pension Fund (PPF) office is notifying about 80,000 current and former NYPD officers of the potential compromise of their personal information after a civilian employee recently stole storage media containing the data.

A sample alert (download PDF) posted on the pension fund site identified the individual as an employee of the PPF and said he was arrested Feb. 27 after a security breach at one of the pension fund's disaster recovery sites.

At the time of the arrest, the individual was discovered to be in possession of "certain business records" containing data about retired and active members of the NYPD. The compromised data included Social Security numbers, names, addresses and bank account information, the statement said.

"Even though the property was recovered, we cannot assure you that the information was not compromised," the statement said regarding why it was sending out the notifications.

Several news media reports identified the arrested individual as Anthony Bonelli, 46, the fund's director of communications. A brief description of the incident on the New York Post Web site said Bonelli had allegedly gained unauthorized access to a backup facility on Staten Island, unplugged security cameras and then walked out with eight storage tapes containing the data.

Comments that Bonelli made at work raised suspicions and led to an investigation of the disaster recovery site by technology specialists who then discovered the theft, the Post said. The tapes were recovered from Bonelli's home at the time of his arrest.

A phone call to the NYPD requesting confirmation of these details as well as the number of officers affected by the incident was not immediately returned.

According to the pension fund alert, the breach did not affect those hired after May 2007, because all data after that date is stored in encrypted form. Also not affected in the incident was any information relating to the undercover identities of NYPD officers, the alert said.

The breach highlights the well-documented risks that organizations face from rogue employees. Over the past several years, security experts have said that malicious insiders pose as much of a risk, if not an even greater one, to corporate data than external attackers do. Several high-profile incidents at organizations such as DuPont, the city of San Francisco and Medco Health Solutions Inc. have hammered home that point.

Lately, however, those fears have been exacerbated by concerns over the economy and the resulting waves of layoffs and consolidations as companies seek to cut costs and stay afloat.

A recent survey by the Ponemon Institute of 945 individuals who were laid off, fired or quit their jobs showed that nearly six out of 10 admitted to stealing company data and nearly seven in 10 said they used confidential information from their previous jobs to land a new one.

According to the survey, individuals who felt negatively about the company they were leaving tended to steal data far more often than those who had a favorable view.

Read more about security in Computerworld's Security Knowledge Center.