FIS laptop with payroll and HR data is stolen
Technorati Tag: Security Breach
Date Reported:
9/24/07
Organization:
Fidelity National Information Services
Contractor/Consultant:
None
Victims:
Employees of Fidelity National Information Services (FIS) and Fidelity National Financial Inc. (FNF).
Number Affected:
Unknown*
*37 residents of New Hampshire alone.
Types of Data:
Name, Social Security number, employee number, address, email address, certain payroll information, and/or date of birth.
Breach Description:
A laptop was stolen from an employee of FIS who was providing technical assistance during a migration of payroll and human resources information to an Oracle system. The laptop contained confidential, personally-identifiable information relating to FIS and FNF employees.
Reference URL:
New Hampshire Attorney General Report
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire disclosure letter and letter sent to victims:
"A laptop computer was recently stolen from an employee of Fidelity National Information Services, Inc. ("FIS")."
"The theft of the laptop occurred in Jacksonville, Florida and a report of theft was filed with the Jacksonville Police Department."
"This employee was providing technical assistance for the company's migration of payroll and human resource information to the Oracle system."
[Comfyllama] You know what system FNF is using to manage payroll and HR now. Too much information for the purpose of explaining this breach. There is a fine line between giving enough information to assist victims and giving too much.
"You can find out specifically what additional personal information of yours was on the laptop by contacting"
"The laptop was password protected, and we have no reason to believe that your data has been compromised or utilized in an unauthorized manner."
[Comfyllama] Do NOT be fooled. Password protection is NO protection from anyone with even novice skills. Password protection on a laptop without encryption is next to useless.
"However, we have partnered with Consumerinfo.com, Inc. an Experian company, to provide you with a full year of credit monitoring. If you concerned about the possibility of misuse, we encourage you to take advantage of this complimentary membership"
[Comfyllama] Sounds like a commercial, almost. I have two points to make about this quote. One, "a full year" is over before you know it. Information that is leaked is leaked PERMANENTLY, not for only one year. Two, credit monitoring helps to alert a victim of identity theft AFTER THE FACT.
"Although we believe this theft does not present a significant risk to your identity"
[Comfyllama] What would FIS consider to be a significant risk? This is coming from a company that seems to think that it is OK to store confidential information on a mobile device without encryption? Seems pretty risky to me.
Commentary:
Well, this is the second significant breach involving FIS this year. The first being Mr. Sullivan's thievery this past July. My rationalizing brain could almost understand the first breach, but I have to admit that there is little excuse for this one. There was no mention in either of the response letters whether this type of behavior goes against Fidelity Information Services policy. One can only assume that it is not? If storing confidential, personally-identifiable information on laptops without encryption does not go against policy, then shame on FIS.
I wonder how Fidelity customer information is stored? I looked for an answer and ran into FIS' "Enterprise Security Services" brochure.
Past Breaches:
July, 2007 -
Date Reported:9/24/07
Organization:
Fidelity National Information Services
Contractor/Consultant:
None
Victims:
Employees of Fidelity National Information Services (FIS) and Fidelity National Financial Inc. (FNF).
Number Affected:
Unknown*
*37 residents of New Hampshire alone.
Types of Data:
Name, Social Security number, employee number, address, email address, certain payroll information, and/or date of birth.
Breach Description:
A laptop was stolen from an employee of FIS who was providing technical assistance during a migration of payroll and human resources information to an Oracle system. The laptop contained confidential, personally-identifiable information relating to FIS and FNF employees.
Reference URL:
New Hampshire Attorney General Report
Report Credit:
New Hampshire Attorney General
Response:
From the official New Hampshire disclosure letter and letter sent to victims:
"A laptop computer was recently stolen from an employee of Fidelity National Information Services, Inc. ("FIS")."
"The theft of the laptop occurred in Jacksonville, Florida and a report of theft was filed with the Jacksonville Police Department."
"This employee was providing technical assistance for the company's migration of payroll and human resource information to the Oracle system."
[Comfyllama] You know what system FNF is using to manage payroll and HR now. Too much information for the purpose of explaining this breach. There is a fine line between giving enough information to assist victims and giving too much.
"You can find out specifically what additional personal information of yours was on the laptop by contacting"
"The laptop was password protected, and we have no reason to believe that your data has been compromised or utilized in an unauthorized manner."
[Comfyllama] Do NOT be fooled. Password protection is NO protection from anyone with even novice skills. Password protection on a laptop without encryption is next to useless.
"However, we have partnered with Consumerinfo.com, Inc. an Experian company, to provide you with a full year of credit monitoring. If you concerned about the possibility of misuse, we encourage you to take advantage of this complimentary membership"
[Comfyllama] Sounds like a commercial, almost. I have two points to make about this quote. One, "a full year" is over before you know it. Information that is leaked is leaked PERMANENTLY, not for only one year. Two, credit monitoring helps to alert a victim of identity theft AFTER THE FACT.
"Although we believe this theft does not present a significant risk to your identity"
[Comfyllama] What would FIS consider to be a significant risk? This is coming from a company that seems to think that it is OK to store confidential information on a mobile device without encryption? Seems pretty risky to me.
Commentary:
Well, this is the second significant breach involving FIS this year. The first being Mr. Sullivan's thievery this past July. My rationalizing brain could almost understand the first breach, but I have to admit that there is little excuse for this one. There was no mention in either of the response letters whether this type of behavior goes against Fidelity Information Services policy. One can only assume that it is not? If storing confidential, personally-identifiable information on laptops without encryption does not go against policy, then shame on FIS.
I wonder how Fidelity customer information is stored? I looked for an answer and ran into FIS' "Enterprise Security Services" brochure.
Past Breaches:
July, 2007 -
Posted by Evan Francen at 10/1/2007 12:58 PM 
Categories: Stolen Laptop, Fidelity National Information Services
Categories: Stolen Laptop, Fidelity National Information Services
Posts Atom 1.0
The Arizona">http://www.nationalpeo.com/payrollcompany.html">Arizona Payroll Company has suffered a similar event which ended in the jailing of an employee being accused of stealing sensitive information from the company. The stolen information was recovered and there were no further effects of the employee's action.
Reply to this