14 DAY TRIAL // Burglars breaking into Aspire’s administrative offices stole multiple laptop computers containing sensitive information about customers and clients of the private behavioral and mental health nonprofit organization.
The incident occurred on November 7, 2014, and it was immediately reported to law enforcement. Data forensics experts were also contracted to find out if personal information was stored on the stolen devices and what it consisted of.
Information could be used for tax and credit fraud
It is unclear when the breach notification was made public, but according to the disclosure and notification requirements under Indiana law, an entity has to inform affected individuals without unreasonable delay.
The adjourning may be caused by the necessity to restore the integrity of the computer system, discover the full scope of the breach or if a disclosure would hinder criminal or civil investigation, impact national security.
During the investigation of the incident, it was discovered that the stolen laptops contained emails with personal information such as names, addresses and social security numbers (SSN) of employees and some of the clients.
This type of information is sufficient for crooks to apply for credit in the name of the victim or use it in tax return fraud.
The notification does not make it clear, but medical numbers of customers and personal health information may have also been stored on the devices; medical records remain secure as this type of data was not present on any of the stolen laptops, the notification says.
Computers have most likely been cleaned up and sold
In total, 45,030 individuals have been affected by the incident, and 1,548 of them had their SSN exposed. As per the notice, there is no reason to believe that the data has been misused in any way.
Generally, thieves are more interested in the electronic goods they steal, which can be quickly converted into cash. Most of the times, the process of readying the device for a new owner consists in formatting the hard drive in order to remove evidence of the theft, and re-installing the operating system.
However, the risk for the devices to reach a more tech-savvy criminal that is aware of the value of the personal information present on the hard drive still exists; they could sell it on underground forums in order to maximize the illegal profit.
Aspire Indiana has delivered the notification to the affected individuals, and to prevent unnecessary distress to its customers, the organization also offers identity protection services.