Sensitive personal information about almost 700 Prince William County residents, including addresses and Social Security numbers, has been compromised after a county-issued BlackBerry was stolen from an employee's locked vehicle.
The employee works for the Intellectual Disabilities Case Management Program, which provides services to residents with intellectual disabilities. All 669 residents are enrolled in the program.
Prince William County officials are dealing with the fallout of the incident, which occurred overnight between June 18 and 19 while the vehicle was parked in the driveway of the employee's home.
Tom Gibe, executive director for county community services, said he did not know how easily accessible the information was on the BlackBerry, but that it does not have password protection.
"It should have been better secured with the use of a password," he said. "We didn't do what should have been done."
Prince William County police are investigating the theft, and the service provider has deactivated several of the phone's functions.
Stephen Palmer, owner of Herndon information security company ThreatPerspective, said he isn't surprised that such an incident happened, given the nature of the BlackBerry.
"The fact that we can use these great little gadgets to work from anywhere has enabled our work life to encroach deeply into our personal life and nearly anywhere we might find ourselves," he said.
He noted a BlackBerry is much easier to lose or misplace than a laptop, but can hold just as much sensitive information.
According to Gibe, employees are issued BlackBerrys because they often work outside the office. There are no policies regarding what can be stored on the phones. The county is reviewing its practices and looking into different encryption technologies.
He said the other phones have also been checked.
"We've done an inventory of the staff," he said. "No one had the level of information and specificity of information of this machine."
County officials have sent letters to those affected and have been working with case managers to begin briefing residents on what they should do to protect themselves.
The residents and those who care for them are urged to notify their banks and credit lenders of a possible security threat and are warned not to confirm or provide personal information over the phone or to unknown solicitors.
County community services is negotiating a contract with the three credit-reporting agencies -- Equifax, Experian and TransUnion -- to pay for a credit report for the next 12 months for those affected. It would not cost residents.
Officials are saying residents should place a fraud alert with one of companies.
Gibe said the employee has not been placed on leave, as an internal investigation is ongoing.