Nearly 19,000 Colorado state workers—both current and former—could have identity protection concerns after a state worker lost a USB or thumb drive containing their personal data including Social Security Numbers (SSN).
“A state employee lost the drive while transporting it between work locations. There is no indication that this information has been misused or stolen,” a press release from the Governor’s Office of Information Techology (OIT) stated.
“The electronic file contained names, Social Security numbers and some home addresses of approximately 18,800 state personnel. Out of an abundance of caution, the state is contacting every individual with a phone call and/or letter to notify them, apologize, and direct them to resources through the Colorado Attorney General’s Office for additional identity protection information.”
Of the 18,800 individual files determined to be on the missing data device, about 8,000 belong to current employees who will be easy to notify. An additional 10,800 are former personnel whose contact info on file could be out of date.
The drive was first discovered to be missing in late November. Some individuals now getting breach notification letters reportedly thought the letter was a fraud because it contained some questionable info.
“We worked so hard to get (info about the breach) out as quickly as we could but there was a problem with the link contained in the letter,” OIT spokeswoman Tauna Lockhart said. That link was supposed to take letter holders to a resource page at the Colorado AG’s office.
As for the question of whether the drive was encrypted or password protected, Lockhart said, “That’s a good question. We have strict policy for the state about encryption. That said, this employee did not follow stated protocol and has been disciplined.”
Lockhart declined to indicate which department the employee worked for or which departments had employee data on that lost drive but did indicate that employees from multiple state agencies were involved. Copies of the letter to the 18,800 are not being released to the media.
The letters were mailed around December 11 and a press release was issued by the OIT on Friday—a day dominated by the news of a shooting at Arapahoe High School south of Denver.
“The Office of Information Security is continuing all necessary efforts to recover the file,” said Jonathan Trull, Colorado’s Chief Information Security Officer. “We are also reviewing and revising procedures and practices to minimize the risk of recurrence.”