Network News

X My Profile
View More Activity

More data breaches at Commerce Dept.

By Ed O'Keefe

Commerce Secretary Gary Locke informed Commerce Department employees on Thursday that at least two more breaches involving the names and Social Security numbers of some employees have occurred in recent weeks, following two other incidents in the past six months.

"Please know we have no reason to believe that any of these incidents has resulted in any personal information being inappropriately used by anyone," Locke said. The few hundred employees potentially at risk were previously informed, Locke said in a department-wide e-mail sent Thursday afternoon. (See the full e-mail below.)

Deputy Secretary Dennis Hightower will lead a task force to review the department's procedures on handling employees' personal information and deliver a report with recommendations by March 1, Locke said.

He also instructed all department employees with access to personal information to attend training sessions in the coming days about interim protocols he put in place this week to protect personal information. The department will provide training to all employees about how to better protect their personal information.

Department officials were criticized last month for waiting to inform employees about a Dec. 4 breach until late January. A letter was not sent out until officials gained information about the breach through the investigative process, an official told The Post's Joe Davidson. Once the letter was written, it apparently got caught in a backlog of mail to be sent to employees, including W-2 income tax forms.

Leave your thoughts in the comments section below

Dear Colleagues,
In the past several weeks, a number of you have raised concerns about the security of your personally identifiable information held by the Commerce Department. We take those concerns seriously, and I want you to know what we’re doing to address them.
Personally Identifiable Information is information that can be used to distinguish or trace an individual's identity – such as name, social security number, fingerprint records, date and place of birth, mother’s maiden name, etc. And like any employer, the Department of Commerce has access to personal information of its employees.
The protection of this information – for every one of our more than 50,000 employees – is vitally important to all of us.
Many of you know about two incidents in the last six months where a significant number of employees’ personal information was not properly protected on our computer systems for a brief period. Anyone affected by these incidents has already been notified. In recent weeks, we also discovered additional incidents where some employees failed to follow the proper protocol for handling personal information. The errors discovered involved a few hundred employees, but they are no less troubling. Again, any employee affected by these incidents has been notified.
Please know we have no reason to believe that any of these incidents has resulted in any personal information being inappropriately used by anyone. But given how important Personally Identifiable Information is, we took extraordinary measures to protect you – including enlisting a company to monitor, for unusual activity, our employees’ personally-identifiable information.
Nonetheless, one of the reasons I’m writing today is because I believe more must be done. These failures are simply unacceptable.
I want you to know that I’ve taken both immediate and long-term steps to ensure that the department is properly handling and securing your personal information.
In the immediate term:
• Interim protocols are being instituted immediately to further protect your personal information.
• Every staff member across the Commerce Department with access to personally identifiable information will take part in additional training and instruction in the coming days about the interim protocols and to reinforce the requirement that all existing policies and procedures be followed precisely.
• Earlier this week, we convened an emergency session of the Executive Management Team to reinforce the importance of protecting personal information and to create high-level awareness of the seriousness and necessity of following established protocol for protecting sensitive information.
To improve our protection of your information in the long-term, today I asked Deputy Secretary Dennis Hightower to oversee a comprehensive review of all department policies, processes and systems pertaining to the confidentiality of employee Personally Identifiable Information. He will work with the Personal Information Protection Task Force at Commerce to deliver a plan for improvement by March 1.
We take our responsibility to protect your information – and any failures to do so – very seriously. I will report back to you as this process moves forward.
In the coming months, the department will also provide you with training on ways you can protect your own information and identity in all aspects of your life. As we become an increasingly “wireless” society, we are at greater risk of having our personal information compromised. We should all vigilantly protect our personal information in any setting – whether using a credit card at a store, banking on the Internet or reviewing personal documents in a public place.
We hope you will take advantage of this opportunity.
Thank you for voicing your concerns about this serious issue. I hope you will continue to provide feedback as we work to become a more effective organization and a leader in protecting privacy.
Gary Locke

By Ed O'Keefe  | February 4, 2010; 3:40 PM ET
Categories:  Agencies and Departments, Workplace Issues  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Unscheduled Leave for Federal Workers on Friday
Next: Eye Opener: Avocados and mangoes on the mind at USDA


I received the notice from the National Archives and Records Administration yesterday; it stated that I could have a year of free credit monitoring but when you go to the link and sign up, you still have to purchase your credit report. There is no "free monitoring" for the retroactive period starting when the data went missing.


This is useless because it leaves a huge year-long hole in the supposed coverage. The only thing NARA succeeded in doing with this response was to created confusion and frustration - it is lip service only - there isn't a practical bone in this bird.

The only way to pull this off successfully is to monitor the credit history from the first day of data loss, which is hard to believe they could frak this up so bad as to not consider this very obvious and practical aspect of the issue.

Posted by: WorldNet | February 4, 2010 4:15 PM | Report abuse

Most of the folks in the federal government who handle security are the counter parts to watching a music video from a third world country... about 10 years behind the times. A REAL report from the Post would be how China has accessed the complete systems at DOC for years. Tried to give you that story but we live in an A.D.D. world. Ask the folks from CISCO they know of the breach and about the cover up. Lets face it some g.s. 11 who does computer security is looked upon as a god by the political appointees and the college educated folks who still spend 30 mins a day playingMicrosoft solitaire and think they are computer savvy because they can Google. If you are real smart track me down and I will help you with the story. off the record.

Posted by: teamsimple | February 4, 2010 6:47 PM | Report abuse

It was only a matter of time before someone figured out a way to wear data breeches!

Posted by: Wildthing1 | February 4, 2010 7:16 PM | Report abuse

Lets get moving America and get the cyber-security bill passed. Foxx of NC was rightfully put in her place for putting forth a request having nothing to do with the bill slowing down what should be passed quickly. Her point made in morning business before bills are discussed or related bills is the appropriate forum.

Posted by: jameschirico | February 4, 2010 7:55 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company