"Experienced" Gap vendor stolen laptop affects 800,000
Technorati Tag: Security Breach
Date Reported:
9/28/07
Organization:
Gap Inc.*
*Gap Inc. brands include Gap, Banana Republic, Old Navy, and Piperlime.
Contractor/Consultant:
"an experienced third-party vendor", according to Gap Inc.
Victims:
Gap Inc. job applicants who applied for employment between July, 2006 and June, 2007.
Number Affected:
800,000
Types of Data:
Personal information including name and Social Security number.
Breach Description:
Two laptop computers were stolen from the offices of an unnamed human resources vendor that contained personal job applicant data pertaining to Gap Inc. job candidates.
Reference URL:
Official Notification Letter
The Story at The Register
Report Credit:
Gap Inc.
Dan Goodin, The Register
Special Thanks to "vanish"
Response:
From the online resource referenced above:
"A laptop owned by an experienced third-party vendor who manages job applicant data for Gap Inc. was recently stolen from their offices. This laptop contained the personal information of approximately 800,000 people who applied online or by phone for store positions with one of Gap Inc.’s brands between July 2006 and June 2007."
"On September 19, 2007 we learned that two laptop computers were stolen from the office of an experienced, third party vendor that helps Gap Inc. manage job applicant data. Unfortunately, one of the laptops contained personal information you provide us, including your name and Social Security number"
[Comfyllama] "Unfortunately"? Poor business practice has more to do with this than does fortune!
"Few companies disclose details of their data-retention policies, such as whether computers containing sensitive information are encrypted. This is partly because the release of too much information can tip off criminals"
[Comfyllama] Hogwash! There is no security in obscurity!
"sensitive information belonging to residents of the US and Puerto Rico who applied online or by phone for jobs from July 2006 to June 2007"
[Comfyllama] 800,000 people applied for jobs with Gap Inc. in less than a year? Wow.
"I know that this news is unsettling and Gap Inc. deeply regrets this incident occurred"
"We and the vendor are cooperating with law enforcement authorities on this matter and an investigation is underway. In addition, the vendor has adopted additional security measures at its offices. We're also reviewing the facts and circumstances that led to this incident closely and will take appropriate steps to help prevent something like this from happening again."
"At this time, we have no reason to believe the data contained on the computer was the target of the theft or that the personal information has been access or used improperly"
[Comfyllama] If you look back a other breach responses, you will find that this is nothing more than standard lingo that really means nothing.
"Nonetheless, to help you safeguard your personal information, we've made arrangements to offer you 12 months of credit monitoring with fraud assistance--at no cost to you"
[Comfyllama] Does this sound to you like they are doing the victims some kind of favor? Thank you Gap Inc. and your "experienced" vendor for losing personal information and giving this protection that we wouldn't need if companies like you treated confidential data properly!
Commentary:
There is no excuse for treating confidential personal information this way. You would think that an "experienced" third party vendor would know how to secure sensitive data. This "experienced" vendor should know that human resources data is among the most sensitive data. Seems like I am stating the obvious, but confidential data should not be on a laptop, but if it must, then it MUST be encrypted. 800,000 confidential records on an unencrypted laptop amazes me! Maybe it shouldn't.
I am very interested to hear who this "experienced" third-party vendor is. Holy moly, what do their inexperienced vendors do? Has this vendor been living in a bubble over the past couple of years and not heard any news of this thing called identity theft and fraud?
Taleo maintains the Gap online job site, so it was an obvious first thought that they might be involved. Taleo has denied any involvement.
The vendor is still a mystery now, but will surely surface soon.
Past Breaches:
Unknown
Date Reported:9/28/07
Organization:
Gap Inc.*
*Gap Inc. brands include Gap, Banana Republic, Old Navy, and Piperlime.
Contractor/Consultant:
"an experienced third-party vendor", according to Gap Inc.
Victims:
Gap Inc. job applicants who applied for employment between July, 2006 and June, 2007.
Number Affected:
800,000
Types of Data:
Personal information including name and Social Security number.
Breach Description:
Two laptop computers were stolen from the offices of an unnamed human resources vendor that contained personal job applicant data pertaining to Gap Inc. job candidates.
Reference URL:
Official Notification Letter
The Story at The Register
Report Credit:
Gap Inc.
Dan Goodin, The Register
Special Thanks to "vanish"
Response:
From the online resource referenced above:
"A laptop owned by an experienced third-party vendor who manages job applicant data for Gap Inc. was recently stolen from their offices. This laptop contained the personal information of approximately 800,000 people who applied online or by phone for store positions with one of Gap Inc.’s brands between July 2006 and June 2007."
"On September 19, 2007 we learned that two laptop computers were stolen from the office of an experienced, third party vendor that helps Gap Inc. manage job applicant data. Unfortunately, one of the laptops contained personal information you provide us, including your name and Social Security number"
[Comfyllama] "Unfortunately"? Poor business practice has more to do with this than does fortune!
"Few companies disclose details of their data-retention policies, such as whether computers containing sensitive information are encrypted. This is partly because the release of too much information can tip off criminals"
[Comfyllama] Hogwash! There is no security in obscurity!
"sensitive information belonging to residents of the US and Puerto Rico who applied online or by phone for jobs from July 2006 to June 2007"
[Comfyllama] 800,000 people applied for jobs with Gap Inc. in less than a year? Wow.
"I know that this news is unsettling and Gap Inc. deeply regrets this incident occurred"
"We and the vendor are cooperating with law enforcement authorities on this matter and an investigation is underway. In addition, the vendor has adopted additional security measures at its offices. We're also reviewing the facts and circumstances that led to this incident closely and will take appropriate steps to help prevent something like this from happening again."
"At this time, we have no reason to believe the data contained on the computer was the target of the theft or that the personal information has been access or used improperly"
[Comfyllama] If you look back a other breach responses, you will find that this is nothing more than standard lingo that really means nothing.
"Nonetheless, to help you safeguard your personal information, we've made arrangements to offer you 12 months of credit monitoring with fraud assistance--at no cost to you"
[Comfyllama] Does this sound to you like they are doing the victims some kind of favor? Thank you Gap Inc. and your "experienced" vendor for losing personal information and giving this protection that we wouldn't need if companies like you treated confidential data properly!
Commentary:
There is no excuse for treating confidential personal information this way. You would think that an "experienced" third party vendor would know how to secure sensitive data. This "experienced" vendor should know that human resources data is among the most sensitive data. Seems like I am stating the obvious, but confidential data should not be on a laptop, but if it must, then it MUST be encrypted. 800,000 confidential records on an unencrypted laptop amazes me! Maybe it shouldn't.
I am very interested to hear who this "experienced" third-party vendor is. Holy moly, what do their inexperienced vendors do? Has this vendor been living in a bubble over the past couple of years and not heard any news of this thing called identity theft and fraud?
Taleo maintains the Gap online job site, so it was an obvious first thought that they might be involved. Taleo has denied any involvement.
The vendor is still a mystery now, but will surely surface soon.
Past Breaches:
Unknown
Posts Atom 1.0
If you are a victim of this breach, or think you may be a victim of this breach be sure to check http://www.gapsecurityassistance.com/ regularly for updates.
To speak to someone live, please call the Gap Inc. Security Assistance Helpline at 1-. Representatives are available 24 hours a day, seven days a week, to provide information and assistance. Because of potentially high call volumes, you may need to wait to speak to a representative, and we appreciate your patience.
Reply to this
I am one of the victims of this breach. I am furious!. Gap, points the finger at vendor. Gap should take some responsibility. They did hire this vendor. My personal information is out there in someone's hands and it can be misused.
Reply to this
I am also one of the victims. While it is the fault of the "experienced" vendor, I agree that Gap Inc. should take some type of responsibility. This is just one more thing I have to worry about at the end of the day. I would be very interested to learn how other companies deal with personal informations security.
Reply to this
I am very sorry to hear that you have been personally affected by this breach.
You are ABSOLUTELY correct in that Gap Inc. should take responsibility. In my opinion, they should take most amount of the responsibility. In not disclosing their vendor they are adding to their irresponsibility. I think you have a right to know who lost YOUR DATA. This is NOT Gap Inc.'s data, it is yours and you have a right to know who does what with it.
To answer your question, the way other companies handle personal information differs from company to company. Maybe it shouldn't, but it does. There are commonly known (to good security professionals) "best practices", and one of those that would apply to this case would be to encrypt confidential data at rest.
Reply to this
I have to agree. It is 800,000 people confidential personal information in the hands of we don't know who. It is our right to know who this vendor is. I want the name of the vendor plain and simple. It is my data that has been lost not Gap Inc. I want names and I am not going to stop until I get it.
Reply to this
My son was a victim and what was never checked was the state employment records. After applying for unempoloyment and college loans wae found someone had mad $20,000 in my sons name in 2007 and the gap just wants to give him credit security he still is only 17 and his history and number are already reported as fraudulanty a billion dollar company needs to be held resonsible
Reply to this
I can't even get monitor because Trans Union cannot pull my file. There is a big mess regarding Gap Inc so call monitoring. I want the name of the vendor and I will not stop until I get it. How can Gap and vendor be so irresponsible? Again, I am furious. The person who stole the laptops can lay low for about a year or two then start using the information for identity purposes & credit card fraud. God knows what else. I will not stand for this.
Reply to this
I think you may get the answers you are looking for. There is a class-action lawsuit against Gap Inc.. Answers should come as a result, but don't expect much in terms of compensation. In class-action lawsuits like this, the only ones who make out are the lawyers.
Why in the world can TransUnion not pull your file?! Gap and the vendor were irresponsible. They both had the full responsibility to protect the information they collected about you.
You are absolutely correct. Thieves ARE waiting to use information. Once confidential information has been disclosed there is no way to ever get it back, not after one year, not EVER. One year of credit monitoring might have some value if your Social Security number was only good for one year. You have my full support and I wish you the best. I wish more breach victims took more of a stand against abuse. It is sad that some companies just don't learn lessons until it affects the bottom line. It's both selfish and foolish.
Reply to this
I also am a victim of this security breach. Just today I found out that my credit card actually has been used fraudently. My credit company took care of it, thankfully, and are sending me a new card, but if they had access to the old one through my SSN they will surely find access to the new one. I am very upset about this. I'm only 20; who knows how long I'm going to have to be dealing with this.
Reply to this
Assuming that the fraud that you have been victimized by is a result of this breach (I would think the chances are good), then Gap's statement "At this time, we have no reason to believe the data contained on the computer was the target of the theft or that the personal information has been access or used improperly" doesn't hold much water.
We all pay the price when a company does not fulfill their responsibility to protect our data. Direct victims are obviously more affected than others. You have every right to be upset. There may be some things coming in the future that will help to protect your identity, but change takes time.
Reply to this