Full Report
When was the last time we read about a breach involving a lost or stolen USB drive? It’s been a while, but now Keith Menconi reports: San Jose administrators have disclosed that private information for current and former city employees may have been compromised, following a data breach last month. The incident occurred on Jan.... Source
Analysis Summary
# Incident Report: City of San Jose Employee Data USB Breach
## Executive Summary
The City of San Jose experienced a data breach involving the loss of a physical USB drive by a city workforce member. The drive reportedly contained sensitive Personal Identifiable Information (PII), including Social Security numbers, of current and former employees dating back as far as the year 2000. While the city has initiated notification for affected individuals, it has faced criticism regarding the timeline of its disclosure.
## Incident Details
- **Discovery Date:** Not explicitly disclosed (Notification letters sent in mid-February)
- **Incident Date:** January 9
- **Affected Organization:** City of San Jose
- **Sector:** Government (Municipal)
- **Geography:** San Jose, California, USA
## Timeline of Events
### Initial Access
- **Date/Time:** January 9
- **Vector:** Physical loss of hardware.
- **Details:** A "workforce member" lost a USB flash drive containing sensitive city data.
### Lateral Movement
- **N/A:** This was a physical hardware loss; no network lateral movement occurred.
### Data Exfiltration/Impact
- **Details:** Potential compromise of sensitive PII, specifically Social Security numbers. The scope includes both current employees and former employees (at least one individual has not worked for the city in over 20 years).
### Detection & Response
- **Detection:** Disclosed internally following the loss of the device on Jan 9.
- **Response:** The city mailed notification letters to affected individuals approximately one month later (mid-February).
## Attack Methodology
- **Initial Access:** Physical loss of unencrypted/unsecured media.
- **Persistence:** Not applicable.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Data was manually copied to a portable USB drive.
- **Exfiltration:** Physical removal/loss of the device from city premises/control.
- **Impact:** Potential identity theft and unauthorized access to PII.
## Impact Assessment
- **Financial:** Unknown; potential costs related to credit monitoring services for victims and administrative overhead.
- **Data Breach:** Social Security numbers (SSNs) of current and former staff. Total volume of affected individuals is currently undisclosed.
- **Operational:** Low; no disruption to city services reported.
- **Reputational:** High; current employees expressed alarm over IT practices and the delay in notification.
## Indicators of Compromise
- **Physical:** Missing/lost USB flash drive.
- **Behavioral:** Unauthorized use of removable media for storing sensitive PII.
## Response Actions
- **Containment:** Reporting of the lost device by the workforce member.
- **Eradication:** Not possible once the physical device was lost.
- **Recovery:** Identification of affected records and notification of data subjects.
## Lessons Learned
- **Data Retention Policies:** Data for an employee who left in 2000 was still accessible and included on a portable drive, suggesting a failure in data lifecycle management.
- **Media Control:** The use of unencrypted or unrestricted USB drives for highly sensitive data like SSNs represents a significant security gap.
- **Disclosure Lag:** A one-month gap between the incident and notification led to employee dissatisfaction and public criticism.
## Recommendations
- **Technical Controls:** Implement Data Loss Prevention (DLP) software to block the transfer of PII to unauthorized USB devices.
- **Encryption:** Mandate the use of hardware-encrypted USB drives if removable media is required for business operations.
- **Data Minimization:** Review and purge legacy employee data that is no longer required for legal or business purposes to reduce the "blast radius" of a breach.
- **Policy Enforcement:** Reiterate and enforce policies regarding the handling and transport of sensitive city data outside of secured environments.