NYPD faces ID theft risk after data stolen from pension fund
Data recovered, but 80,000 current and former cops may be affected
Computerworld - In a demonstration of how no organization is immune from insider threats, the New York City Police Pension Fund (PPF) office is notifying about 80,000 current and former NYPD officers of the potential compromise of their personal information after a civilian employee recently stole storage media containing the data.
A sample alert (download PDF) posted on the pension fund site identified the individual as an employee of the PPF and said he was arrested Feb. 27 after a security breach at one of the pension fund's disaster recovery sites.
At the time of the arrest, the individual was discovered to be in possession of "certain business records" containing data about retired and active members of the NYPD. The compromised data included Social Security numbers, names, addresses and bank account information, the statement said.
"Even though the property was recovered, we cannot assure you that the information was not compromised," the statement said regarding why it was sending out the notifications.
Several news media reports identified the arrested individual as Anthony Bonelli, 46, the fund's director of communications. A brief description of the incident on the New York Post Web site said Bonelli had allegedly gained unauthorized access to a backup facility on Staten Island, unplugged security cameras and then walked out with eight storage tapes containing the data.
Comments that Bonelli made at work raised suspicions and led to an investigation of the disaster recovery site by technology specialists who then discovered the theft, the Post said. The tapes were recovered from Bonelli's home at the time of his arrest.
A phone call to the NYPD requesting confirmation of these details as well as the number of officers affected by the incident was not immediately returned.
According to the pension fund alert, the breach did not affect those hired after May 2007, because all data after that date is stored in encrypted form. Also not affected in the incident was any information relating to the undercover identities of NYPD officers, the alert said.
The breach highlights the well-documented risks that organizations face from rogue employees. Over the past several years, security experts have said that malicious insiders pose as much of a risk, if not an even greater one, to corporate data than external attackers do. Several high-profile incidents at organizations such as DuPont, the city of San Francisco and Medco Health Solutions Inc. have hammered home that point.
Lately, however, those fears have been exacerbated by concerns over the economy and the resulting waves of layoffs and consolidations as companies seek to cut costs and stay afloat.
A recent survey by the Ponemon Institute of 945 individuals who were laid off, fired or quit their jobs showed that nearly six out of 10 admitted to stealing company data and nearly seven in 10 said they used confidential information from their previous jobs to land a new one.
According to the survey, individuals who felt negatively about the company they were leaving tended to steal data far more often than those who had a favorable view.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts