Applera stolen laptop affects unknown number of employees
Technorati Tag: Security Breach
Date Reported:
10/1/07
Organization:
Applera Corporation
Contractor/Consultant/Branch:
None
Victims:
Applera employees
Number Affected:
Unknown*
*There were 24 residents of the State of New Hampshire that were reported to the Attorney General. Applera employs 5,530 people.
Types of Data:
First name, last name, and Social Security number.
Breach Description:
On August 9th, 2007 a laptop was stolen from the car of an Applera employee while it was parked in the Bed, Bath and Beyond parking lot in Norwalk, CT. The laptop contained sensitive information about Applera employees and was not encrypted.
Reference URL:
New Hampshire Breach Notification
Report Credit:
The New Hampshire Attorney General
Response:
From the official New Hampshire Attorney General breach notification letter, police report and victim notification letter available at the link above:
"On August 9, 2007, a thief broke into the car of an Applera employee and stole the employee's company-issued laptop computer"
"Applera worked diligently to reconstruct the files that are stored on the stole computer"
"In early September, Applera determined that the stolen laptop contains on file with the name and social security number of Applera employees"
[Comfyllama] Uh oh! It is not clear if this breach affected all Applera employees or some subset.
"Applera Corporation recognizes the importance of safeguarding its personnel information"
[Comfyllama] Recognition doesn't help much, does it. I "recognize" that Applera did not "recognize" the significant risk of storing confidential information on mobile devices without encryption.
"Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct"
[Comfyllama] This is true to some extent, but is Applera implying that it used the "most rigorous safeguards"? I hope not, because they DID NOT.
"Our Company recently was victimized"
"We are pleased to report that the stolen laptop was password protected and did not contain credit or debit card number or financial account numbers"
[Comfyllama] I have said this before and I will say this again, password protection is little more than NO PROTECTION. A novice can get past Windows password protection in less than 5 minutes. There is nothing here that Applera should be "pleased to report".
"In addition, neither the vehicle nor the stolen briefcase would suggest to a passer-by the nature of the information stored on the laptop"
[Comfyllama] Security through obscurity and Windows password protection, are these some of the "most rigorous safeguards" that Applera was referring to earlier?
"Consequently, we have no reason to believe that the theft was directed at the information stored on the laptop."
[Comfyllama] What "reason to believe" would we be looking for?
"We also have received no reports to date, indicating that the information stored on the laptops has been misued"
"Applera recognizes that the theft of you personal information, and any related inconvenience, might be upsetting"
[Comfyllama] "might be upsetting"? Can you say out of touch?
Applera is providing a free year of credit monitoring through Consumerinfo.com
Commentary:
This has to be one of the most upsetting responses I have read from a company breach notification. There is no mention as to whether or not the practice that led to this breach is an accepted one. There is no excuse for storing personnel (or other sensitive) data on a mobile device without encryption. If I were a victim, I would demand more care.
Thank God Applera does not have my personal information!
Past Breaches:
Unknown
Date Reported:10/1/07
Organization:
Applera Corporation
Contractor/Consultant/Branch:
None
Victims:
Applera employees
Number Affected:
Unknown*
*There were 24 residents of the State of New Hampshire that were reported to the Attorney General. Applera employs 5,530 people.
Types of Data:
First name, last name, and Social Security number.
Breach Description:
On August 9th, 2007 a laptop was stolen from the car of an Applera employee while it was parked in the Bed, Bath and Beyond parking lot in Norwalk, CT. The laptop contained sensitive information about Applera employees and was not encrypted.
Reference URL:
New Hampshire Breach Notification
Report Credit:
The New Hampshire Attorney General
Response:
From the official New Hampshire Attorney General breach notification letter, police report and victim notification letter available at the link above:
"On August 9, 2007, a thief broke into the car of an Applera employee and stole the employee's company-issued laptop computer"
"Applera worked diligently to reconstruct the files that are stored on the stole computer"
"In early September, Applera determined that the stolen laptop contains on file with the name and social security number of Applera employees"
[Comfyllama] Uh oh! It is not clear if this breach affected all Applera employees or some subset.
"Applera Corporation recognizes the importance of safeguarding its personnel information"
[Comfyllama] Recognition doesn't help much, does it. I "recognize" that Applera did not "recognize" the significant risk of storing confidential information on mobile devices without encryption.
"Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct"
[Comfyllama] This is true to some extent, but is Applera implying that it used the "most rigorous safeguards"? I hope not, because they DID NOT.
"Our Company recently was victimized"
"We are pleased to report that the stolen laptop was password protected and did not contain credit or debit card number or financial account numbers"
[Comfyllama] I have said this before and I will say this again, password protection is little more than NO PROTECTION. A novice can get past Windows password protection in less than 5 minutes. There is nothing here that Applera should be "pleased to report".
"In addition, neither the vehicle nor the stolen briefcase would suggest to a passer-by the nature of the information stored on the laptop"
[Comfyllama] Security through obscurity and Windows password protection, are these some of the "most rigorous safeguards" that Applera was referring to earlier?
"Consequently, we have no reason to believe that the theft was directed at the information stored on the laptop."
[Comfyllama] What "reason to believe" would we be looking for?
"We also have received no reports to date, indicating that the information stored on the laptops has been misued"
"Applera recognizes that the theft of you personal information, and any related inconvenience, might be upsetting"
[Comfyllama] "might be upsetting"? Can you say out of touch?
Applera is providing a free year of credit monitoring through Consumerinfo.com
Commentary:
This has to be one of the most upsetting responses I have read from a company breach notification. There is no mention as to whether or not the practice that led to this breach is an accepted one. There is no excuse for storing personnel (or other sensitive) data on a mobile device without encryption. If I were a victim, I would demand more care.
Thank God Applera does not have my personal information!
Past Breaches:
Unknown
Posts Atom 1.0
Comments