Merrill Lynch Stolen Hard Drive, 33,000 Current and Former Employees Affected
Technorati Tag: Security Breach
Date Reported:
8/7/07
Organization:
Merrill Lynch
Contractor/Consultant:
None
Number Affected:
33,000
Types of Data:
Name, Social Security number, and compensation related data.
Breach Description:
A computer back-up device was stolen from Merrill Lynch's Plainsboro, New Jersey corporate office that contained sensitive, personally identifiable information on 33,000 current and former employees of Merrill Lynch.
Reference URL:
http://www.cnbc.com/id/20162588
http://doj.nh.gov/consumer/pdf/merrill2.pdf
Report Credit:
Charlie Gasparino, CNBC
Response:
"no client data was affected as a result of this matter"
"there were no home addresses, no birthdates, no account numbers, no credit or debit card numbers, and no beneficiary/benefits-related information on the hard drive"
[Comfyllama] If I were a criminal, would I care? Name and SSN should be good enough.
"data on the storage device is not accessible without the use of specific software and extensive technical expertise"
[Comfyllama] We know that the "storage device" is a hard drive based on the last quote and "extensive technical expertise" is very subjective. I wonder what expertise would be required exactly. I would not assume that the data is safe with anything short of encryption.
"We have no evidence that the device has been compromised or that any of your information has been, or will be, misused. The device contains very sophisticated security hardware and software."
[Comfyllama] That sounds pretty cool. We all want sophisticated security hardware and software, don't we? No need though. SIMPLE encryption would have provided all the security necessary.
Merrill Lynch is offering free credit monitoring to affected individuals.
Commentary:
I know from experience that Merrill Lynch takes information security very seriously. I assume that they have made some changes to procedure since this incident. Although I am not relieved by their response, and I am disappointed that this data was not encrypted, I do have a favorable opinion of Merrill Lynch's information security practices.
Past Breaches:
None since August 2007
Date Reported:
8/7/07
Organization:
Merrill Lynch
Contractor/Consultant:
None
Number Affected:
33,000
Types of Data:
Name, Social Security number, and compensation related data.
Breach Description:
A computer back-up device was stolen from Merrill Lynch's Plainsboro, New Jersey corporate office that contained sensitive, personally identifiable information on 33,000 current and former employees of Merrill Lynch.
Reference URL:
http://www.cnbc.com/id/20162588
http://doj.nh.gov/consumer/pdf/merrill2.pdf
Report Credit:
Charlie Gasparino, CNBC
Response:
"no client data was affected as a result of this matter"
"there were no home addresses, no birthdates, no account numbers, no credit or debit card numbers, and no beneficiary/benefits-related information on the hard drive"
[Comfyllama] If I were a criminal, would I care? Name and SSN should be good enough.
"data on the storage device is not accessible without the use of specific software and extensive technical expertise"
[Comfyllama] We know that the "storage device" is a hard drive based on the last quote and "extensive technical expertise" is very subjective. I wonder what expertise would be required exactly. I would not assume that the data is safe with anything short of encryption.
"We have no evidence that the device has been compromised or that any of your information has been, or will be, misused. The device contains very sophisticated security hardware and software."
[Comfyllama] That sounds pretty cool. We all want sophisticated security hardware and software, don't we? No need though. SIMPLE encryption would have provided all the security necessary.
Merrill Lynch is offering free credit monitoring to affected individuals.
Commentary:
I know from experience that Merrill Lynch takes information security very seriously. I assume that they have made some changes to procedure since this incident. Although I am not relieved by their response, and I am disappointed that this data was not encrypted, I do have a favorable opinion of Merrill Lynch's information security practices.
Past Breaches:
None since August 2007
Posts Atom 1.0
Comments