Semtech U.S. employees affected by a vendor's stolen laptop
Technorati Tag: Security Breach
Date Reported:
10/8/07
Organization:
Semtech Corporation
Contractor/Consultant/Branch:
Unnamed Vendor
Victims:
Semtech U.S. employees
Number Affected:
Unknown*
*Semtech employs roughly 690 people but it is unknown how many are U.S. based
Types of Data:
The company has not publicly announced what data was stolen, only stating that the stolen laptop "may have contained computerized data relating to Semtech employees."
Breach Description:
A laptop was stolen from one of Semtech's vendors that "may have contained computerized data relating to Semtech employees". Semtech notified all of its U.S. based employees of the laptop theft in late September, 2007.
Reference URL:
Pacific Coast Business Times Story
Report Credit:
Stephen Nellis, Pacific Coast Business Times
Response:
From the online article cited above:
"The Camarillo-based chipmaker said a laptop computer and other personal belongings were stolen from one of its vendors. The computer was not stolen from a Semtech facility, but “may have contained computerized data relating to Semtech employees.”"
"Semtech notified all of its U.S. employees in late September, although the company declined to say how many of its 690 employees are based in the United States. The firm also declined to name the vendor from whom the computer was stolen."
[Comfyllama] This is another one of those incidents where the company believes that it is best not to disclose details of a breach. This is sad and only serves to protect Semtech and its privileged vendor. I don't know what the employee notification said, but I certainly hope it was more forthcoming. People should demand more.
"Semtech declined to provide further details of the incident, such as what personal employee data may have been put at risk, when the theft happened or how long it took the company to inform its workers of the potential breach."
[Comfyllama] Again. Tight-lipped incident response.
"Semtech employees will be offered identity theft protection services from an Arizona-based firm called LifeLock."
[Comfyllama] I've seen the commercials, but this is the first time I have seen a company offer LifeLock's services.
"The vendor that lost the laptop will pay for identity-theft protection services for all of Semtech’s employees for one year."
[Comfyllama] I have said this before, this would be a better solution if only identities would expire in one year. Let's say for a second that this information actually did fall into the hands of someone interested in identity theft. Why not wait a year or so? One year does little to stop the problem.
Commentary:
This is a frustrating breach. We know that the unnamed vendor was storing confidential data on a mobile device (laptop) and that they were most likely storing it unencrypted. Bad and bad.
I am not a victim personally, but I would certainly like to know who the vendor is so that I can determine if I do business with them too. If the vendor was not disclosed to the victims, then it would only make sense for them to demand such information. The compromised information does not belong to the vendor or Semtech, it belongs to the victims.
This is too much like the recent Gap Inc. breach that affected 800,000, where they also decided it best not to disclose the vendor. I hope companies don't start to use these incident responses as a standard because it sets poor precedent.
Past Breaches:
Unknown
Date Reported:10/8/07
Organization:
Semtech Corporation
Contractor/Consultant/Branch:
Unnamed Vendor
Victims:
Semtech U.S. employees
Number Affected:
Unknown*
*Semtech employs roughly 690 people but it is unknown how many are U.S. based
Types of Data:
The company has not publicly announced what data was stolen, only stating that the stolen laptop "may have contained computerized data relating to Semtech employees."
Breach Description:
A laptop was stolen from one of Semtech's vendors that "may have contained computerized data relating to Semtech employees". Semtech notified all of its U.S. based employees of the laptop theft in late September, 2007.
Reference URL:
Pacific Coast Business Times Story
Report Credit:
Stephen Nellis, Pacific Coast Business Times
Response:
From the online article cited above:
"The Camarillo-based chipmaker said a laptop computer and other personal belongings were stolen from one of its vendors. The computer was not stolen from a Semtech facility, but “may have contained computerized data relating to Semtech employees.”"
"Semtech notified all of its U.S. employees in late September, although the company declined to say how many of its 690 employees are based in the United States. The firm also declined to name the vendor from whom the computer was stolen."
[Comfyllama] This is another one of those incidents where the company believes that it is best not to disclose details of a breach. This is sad and only serves to protect Semtech and its privileged vendor. I don't know what the employee notification said, but I certainly hope it was more forthcoming. People should demand more.
"Semtech declined to provide further details of the incident, such as what personal employee data may have been put at risk, when the theft happened or how long it took the company to inform its workers of the potential breach."
[Comfyllama] Again. Tight-lipped incident response.
"Semtech employees will be offered identity theft protection services from an Arizona-based firm called LifeLock."
[Comfyllama] I've seen the commercials, but this is the first time I have seen a company offer LifeLock's services.
"The vendor that lost the laptop will pay for identity-theft protection services for all of Semtech’s employees for one year."
[Comfyllama] I have said this before, this would be a better solution if only identities would expire in one year. Let's say for a second that this information actually did fall into the hands of someone interested in identity theft. Why not wait a year or so? One year does little to stop the problem.
Commentary:
This is a frustrating breach. We know that the unnamed vendor was storing confidential data on a mobile device (laptop) and that they were most likely storing it unencrypted. Bad and bad.
I am not a victim personally, but I would certainly like to know who the vendor is so that I can determine if I do business with them too. If the vendor was not disclosed to the victims, then it would only make sense for them to demand such information. The compromised information does not belong to the vendor or Semtech, it belongs to the victims.
This is too much like the recent Gap Inc. breach that affected 800,000, where they also decided it best not to disclose the vendor. I hope companies don't start to use these incident responses as a standard because it sets poor precedent.
Past Breaches:
Unknown
Posts Atom 1.0
Comments