Verisign Stolen Laptop, Unknown Number of Current and Former Employees Affected
Technorati Tag: Security Breach
Date Reported:
8/6/07
Organization:
Verisign
Contractor/Consultant:
None
Number Affected:
Unknown
Types of Data:
Name, Social Security number, date of birth, salary information, telephone number and home address
Breach Description:
A laptop computer containing sensitive, personally identifiable information was stolen from a Verisign employee's car. The persons affected by this incident are current and past Verisign employees.
Reference URL:
http://wizbangblog.com/content/2007/08/02/laptop-theft-leaves-verisign-employees-data-exposed.php
Credit:
Wizbang
Response:
From the linked articles outlined above:
"The laptop possibly contained personal information including name, Social Security number, date of birth, salary information, telephone numbers and home addresses, but it did not include credit card numbers, bank account numbers, or password information. The laptop did not contain any information about any VeriSign customers."
[Comfyllama] Who needs credit card numbers, bank account numbers, or password information when you have posession of names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses? Couldn't I just get my own credit cards and bank accounts?
"We have no reason to believe that the thief or thieves acted with the intent to extract and use this information"
"The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password."
[Comfyllama] Yeah, so? How long do you think it would take to get through or around the password and get at the sensitive data? I will tell you, not very long at all.
"VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign's Information Security Department issues a quarterly publication to remind employees of this policy."
Verisign is offering all affected employees a free year subscription to a credit monitoring service.
Commentary:
Verisign is a respected information security company. If you believe everything you read in Verisign's response, then it appears that they did some things right. The have a policy that prohibits the type of behavior that led to this breach and they appear to have an employee awareness program. The one I can think of that would prevent this in the future is to encrypt all laptops and personal computers used by those employees that have access to confidential data. Sensitive data at rest should be encrypted.
This incident just goes to show that even respectable information security companies are not immune to security breaches.
Past Breaches:
None since August 2007
Date Reported:
8/6/07
Organization:
Verisign
Contractor/Consultant:
None
Number Affected:
Unknown
Types of Data:
Name, Social Security number, date of birth, salary information, telephone number and home address
Breach Description:
A laptop computer containing sensitive, personally identifiable information was stolen from a Verisign employee's car. The persons affected by this incident are current and past Verisign employees.
Reference URL:
http://wizbangblog.com/content/2007/08/02/laptop-theft-leaves-verisign-employees-data-exposed.php
Credit:
Wizbang
Response:
From the linked articles outlined above:
"The laptop possibly contained personal information including name, Social Security number, date of birth, salary information, telephone numbers and home addresses, but it did not include credit card numbers, bank account numbers, or password information. The laptop did not contain any information about any VeriSign customers."
[Comfyllama] Who needs credit card numbers, bank account numbers, or password information when you have posession of names, Social Security numbers, dates of birth, salary information, telephone numbers and home addresses? Couldn't I just get my own credit cards and bank accounts?
"We have no reason to believe that the thief or thieves acted with the intent to extract and use this information"
"The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password."
[Comfyllama] Yeah, so? How long do you think it would take to get through or around the password and get at the sensitive data? I will tell you, not very long at all.
"VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign's Information Security Department issues a quarterly publication to remind employees of this policy."
Verisign is offering all affected employees a free year subscription to a credit monitoring service.
Commentary:
Verisign is a respected information security company. If you believe everything you read in Verisign's response, then it appears that they did some things right. The have a policy that prohibits the type of behavior that led to this breach and they appear to have an employee awareness program. The one I can think of that would prevent this in the future is to encrypt all laptops and personal computers used by those employees that have access to confidential data. Sensitive data at rest should be encrypted.
This incident just goes to show that even respectable information security companies are not immune to security breaches.
Past Breaches:
None since August 2007
Posts Atom 1.0
Comments