Mountjoy & Bressler Stolen Laptop, Unknown Number of E.On Victims
Technorati Tag: Security Breach
Date Reported:
8/2/07
Organization:
E.On
Contractor/Consultant:
Mountjoy & Bressler
Number Affected:
Unknown (est. 3,000+)
Types of Data:
Name, Social Security number, and birth date.
Breach Description:
A laptop computer containing names, Social Security numbers and birthdates of "most" E.On US employees and "some" retirees was stolen from Mountjoy & Bressler, and accounting firm contracted to work with E.On. E.On US employees number 3,000 at the end of 2005.
Reference URL:
www.courier-journal.com/apps/pbcs.dll/article?AID=/20070802/BUSINESS/70802021
www.courier-journal.com/apps/pbcs.dll/article?AID=/20070803/BUSINESS/708030416/1003
Report Credit:
The Courier Journal
Response:
From the article cited above:
"the company is not disclosing how many names of employees and retirees were included in the data because of an ongoing police investigation"
[Comfyllama] I am not sure how disclosing the number of affected individuals would hinder a police investigation any more than it has been already. I am guessing that E.On and Mountjoy & Bressler either do not know how many, or they are embarrased to disclose how many.
"Both E.On and Mountjoy said in their letters that the computer had security features that would make the data difficult to retrieve and that there have been no signs of misuse of any of the data"
[Comfyllama] Sounds like standard response language to me. Difficult to retrieve? About as difficult as slaving a hard drive or burning a CD and rebooting. Sad.
"Keeling (E.On spokesperson) referred questions about why the information was on a laptop to Mountjoy.
"We were concerned that it was on a laptop," he said."
[Comfyllama] Smartest thing said in the article.
"Brad Smith, a Mountjoy partner, said no company procedures were violated; however, the accounting firm is reviewing its policies."
[Comfyllama] No company procedures were violated?! So this is standard practice to keep confidential data on unencrypted mobile devices. UGH!
""The use of a laptop is kind of a standard procedure in the industry," he said (Brad Smith). "As we go out and do audit work, working with our clients, you know, we gain data for purposes of analyzing and testing the data to support an audit opinion. … At the end of the audit process that data is then purged from the laptop."
[Comfyllama] Yep, standard practice alright. This is NOT standard procedure in the industry. This is POOR business practice and POOR management, period. There is NO excuse for treating confidential data in this manner. I wonder how these guys purge data? Unsecurely I am sure.
Mountjoy is offering a free year of credit monitoring and insurance service to affected individuals.
Commentary:
Many companies don't normally think of this, but it often makes good sense to audit vendors, partners and other third-parties with access to sensitive data for their security practices.
Before allowing an outside entity ANY access to corporate data they should be audited for security and governed by policy. See The Trusted Toolkit Sample Vendor/Third-Party Access Policy for guidance in the creation of a Vendor/Third-Party Access Policy.
Past Breaches:
None since August 2007
Date Reported:
8/2/07
Organization:
E.On
Contractor/Consultant:
Mountjoy & Bressler
Number Affected:
Unknown (est. 3,000+)
Types of Data:
Name, Social Security number, and birth date.
Breach Description:
A laptop computer containing names, Social Security numbers and birthdates of "most" E.On US employees and "some" retirees was stolen from Mountjoy & Bressler, and accounting firm contracted to work with E.On. E.On US employees number 3,000 at the end of 2005.
Reference URL:
www.courier-journal.com/apps/pbcs.dll/article?AID=/20070802/BUSINESS/70802021
www.courier-journal.com/apps/pbcs.dll/article?AID=/20070803/BUSINESS/708030416/1003
Report Credit:
The Courier Journal
Response:
From the article cited above:
"the company is not disclosing how many names of employees and retirees were included in the data because of an ongoing police investigation"
[Comfyllama] I am not sure how disclosing the number of affected individuals would hinder a police investigation any more than it has been already. I am guessing that E.On and Mountjoy & Bressler either do not know how many, or they are embarrased to disclose how many.
"Both E.On and Mountjoy said in their letters that the computer had security features that would make the data difficult to retrieve and that there have been no signs of misuse of any of the data"
[Comfyllama] Sounds like standard response language to me. Difficult to retrieve? About as difficult as slaving a hard drive or burning a CD and rebooting. Sad.
"Keeling (E.On spokesperson) referred questions about why the information was on a laptop to Mountjoy.
"We were concerned that it was on a laptop," he said."
[Comfyllama] Smartest thing said in the article.
"Brad Smith, a Mountjoy partner, said no company procedures were violated; however, the accounting firm is reviewing its policies."
[Comfyllama] No company procedures were violated?! So this is standard practice to keep confidential data on unencrypted mobile devices. UGH!
""The use of a laptop is kind of a standard procedure in the industry," he said (Brad Smith). "As we go out and do audit work, working with our clients, you know, we gain data for purposes of analyzing and testing the data to support an audit opinion. … At the end of the audit process that data is then purged from the laptop."
[Comfyllama] Yep, standard practice alright. This is NOT standard procedure in the industry. This is POOR business practice and POOR management, period. There is NO excuse for treating confidential data in this manner. I wonder how these guys purge data? Unsecurely I am sure.
Mountjoy is offering a free year of credit monitoring and insurance service to affected individuals.
Commentary:
Many companies don't normally think of this, but it often makes good sense to audit vendors, partners and other third-parties with access to sensitive data for their security practices.
Before allowing an outside entity ANY access to corporate data they should be audited for security and governed by policy. See The Trusted Toolkit Sample Vendor/Third-Party Access Policy for guidance in the creation of a Vendor/Third-Party Access Policy.
Past Breaches:
None since August 2007
Posts Atom 1.0
Comments