Was the Kraft tape lost or did we really destroy it?
Technorati Tag: Security Breach
Date Reported:
9/14/07
Organization:
Kraft Foods
Contractor/Consultant:
Caremark and Affiliated Computer Services (ACS)
Victims:
"current Kraft employees or, in a small number of instances, former Kraft employees or dependents of Kraft employees"
Number Affected:
Unknown (95 reported New Hampshire residents)
Types of Data:
Name and Social Security number
Breach Description:
Affiliated Computer Services (ACS), a service provider to Caremark, a service provider to Kraft misplaced a computer tape that contained sensitive information about Kraft employees.
Reference URL:
http://doj.nh.gov/consumer/pdf/Kraft.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire breach notification:
"we are providing you with written notification regarding the nature and circumstances of a recent event that may constitute a legally-reportable security breach."
"Affiliated Computer Services (ACS), a service provider to Caremark, which administers Kraft's prescription durg benefits program, recently misplaced a computer tape including names and Social Security numbers"
[Comfyllama] Did you follow that?
"ACS believes it destroyed the tape and, as such, we do not believe that the event constitutes a legally-reportable security breach"
[Comfyllama] Believing something and it being true are two different things.
"At this time, we have no evidence that any information has been subject to unauthorized access or used to commit identity fraud"
[Comfyllama] This is nothing more than "standard" breach disclosure lingo.
Kraft is providing 24 months of monitoring to affected individuals.
Commentary:
It always irks me when a service provider or consultant does not follow good security best practices. For one, the data on this tape should have been encrypted. Secondly, records of tape destruction must be kept and verified. If Kraft does not think that this incident constitutes a legally-reportable security breach, then why report it? Unfortunately, we have no more information that what was reported to the Attorney General so we have little information to draw conclusions.
Past Breaches:
None
Date Reported:
9/14/07Organization:
Kraft Foods
Contractor/Consultant:
Caremark and Affiliated Computer Services (ACS)
Victims:
"current Kraft employees or, in a small number of instances, former Kraft employees or dependents of Kraft employees"
Number Affected:
Unknown (95 reported New Hampshire residents)
Types of Data:
Name and Social Security number
Breach Description:
Affiliated Computer Services (ACS), a service provider to Caremark, a service provider to Kraft misplaced a computer tape that contained sensitive information about Kraft employees.
Reference URL:
http://doj.nh.gov/consumer/pdf/Kraft.pdf
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire breach notification:
"we are providing you with written notification regarding the nature and circumstances of a recent event that may constitute a legally-reportable security breach."
"Affiliated Computer Services (ACS), a service provider to Caremark, which administers Kraft's prescription durg benefits program, recently misplaced a computer tape including names and Social Security numbers"
[Comfyllama] Did you follow that?
"ACS believes it destroyed the tape and, as such, we do not believe that the event constitutes a legally-reportable security breach"
[Comfyllama] Believing something and it being true are two different things.
"At this time, we have no evidence that any information has been subject to unauthorized access or used to commit identity fraud"
[Comfyllama] This is nothing more than "standard" breach disclosure lingo.
Kraft is providing 24 months of monitoring to affected individuals.
Commentary:
It always irks me when a service provider or consultant does not follow good security best practices. For one, the data on this tape should have been encrypted. Secondly, records of tape destruction must be kept and verified. If Kraft does not think that this incident constitutes a legally-reportable security breach, then why report it? Unfortunately, we have no more information that what was reported to the Attorney General so we have little information to draw conclusions.
Past Breaches:
None
Posted by Evan Francen at 9/15/2007 10:18 PM 
Categories: Affiliated Computer Services, Lost Tape, Kraft, Caremark
Categories: Affiliated Computer Services, Lost Tape, Kraft, Caremark
Posts Atom 1.0
Comments