159,000 Administaff employees exposed
Technorati Tag: Security Breach
Date Reported:
10/17/07
Organization:
Administaff Inc.
Contractor/Consultant/Branch:
None
Victims:
Current and former Administaff worksite employees
Number Affected:
159,000*
*96,000 former employees and 63,000 current employees
Types of Data:
Name, address and Social Security number.
Breach Description:
A laptop computer was stolen from a contractor working for Administaff that contained sensitive personal information about current and former Administaff employees. The contractor was performing work "in response to a governmental reporting requirement" that was not encrypted.
Reference URL:
Administaff Public Press Release
Report Credit:
Administaff Public Relations
Response:
From the official announcement and other online resource cited above:
"Oct. 15, 2007--Administaff, Inc. (NYSE:ASF), a leading provider of human resources services for small and medium-sized businesses, today announced that a company laptop computer containing personal information about individuals who were Administaff worksite employees during calendar year 2006 has been reported missing."
[Comfyllama] This would be the 4th breach in a row reported on The Breach Blog that was a result of a lost or stolen, unencrypted laptop. This is also the 2nd breach in a row that concerned a contractor.
"The facts as determined by the company's investigation strongly indicate that this was a random event, and that the personal information was not specifically targeted."
[Comfyllama] This is a minimizing statement meant to assure victims that the disclosure of their information is not really as big of a risk as it may seem. Administaff would have no way to tell if this laptop or the information contained therein were a specific target or not. People should not let this statement detract from the fact that their information WAS NOT properly secured and was subsequently lost (or stolen).
"At this time, the company has no reason to believe that the personal information has been accessed or used improperly."
[Comfyllama] Notice a pattern?
"The laptop computer, which was reported missing on Oct. 3, 2007, is password protected; however, the personal information was not saved in an encrypted location, which is a clear violation of company policies."
[Comfyllama] Another minimizing statement. The bad; password protection is little more than no protection and that confidential data was not encrypted. The good; at least Administaff has policy that when followed would have prevented this. Policies without enforcement don't do much to protect information though.
"The confidential data was being compiled in response to a governmental reporting requirement and included names, addresses and Social Security numbers for most worksite employees paid by Administaff in 2006."
"The company is taking steps to notify approximately 96,000 former worksite employees and approximately 63,000 current worksite employees in writing and will offer to them one year of free credit monitoring services with fraud resolution assistance."
[Comfyllama] People need to realize that once confidentiality is breached, there is NO getting it back. The information does not go back to secret after a year and the identity of a victim doesn't change after a year.
"Administaff has also established a toll-free dedicated helpline and Web site for affected individuals and clients. Affected individuals can find additional information to assist them at www.administaff.com/idprotection."
""Maintaining the integrity of confidential information is of utmost importance to Administaff, and we continue to take appropriate measures to safeguard the security of personal data," said Paul J. Sarvadi, Administaff chairman and chief executive officer. "We deeply regret that this incident occurred. While we have no evidence to suggest the information stored on the computer has been accessed or misused, we are taking precautionary measures to ensure that the affected individuals have resources available to protect themselves.""
[Comfyllama] I'm sorry, maybe it's just the mood I am in today, but this apology was nice until the attempt to minimize the situation again. I am irritated, and I'm not even a victim. It's a positive sign that the CEO made a statement because the "buck stops with him" so to speak.
Commentary:
I am truly irked by this breach for some reason other than the fact that this is yet another stolen laptop that contained sensitive personal information that was not encrypted. To make matters worse, this was another contractor. As I stated in my last posting, contractors accessing the information resources of an organization must comply with the same policies as employees. Contractors must also be audited for compliance on a regular basis. The encryption piece should be obvious, but I guess it ain't so obvious to the companies that keep losing innocent peoples' data.
Past Breaches:
Unknown
Date Reported:10/17/07
Organization:
Administaff Inc.
Contractor/Consultant/Branch:
None
Victims:
Current and former Administaff worksite employees
Number Affected:
159,000*
*96,000 former employees and 63,000 current employees
Types of Data:
Name, address and Social Security number.
Breach Description:
A laptop computer was stolen from a contractor working for Administaff that contained sensitive personal information about current and former Administaff employees. The contractor was performing work "in response to a governmental reporting requirement" that was not encrypted.
Reference URL:
Administaff Public Press Release
Report Credit:
Administaff Public Relations
Response:
From the official announcement and other online resource cited above:
"Oct. 15, 2007--Administaff, Inc. (NYSE:ASF), a leading provider of human resources services for small and medium-sized businesses, today announced that a company laptop computer containing personal information about individuals who were Administaff worksite employees during calendar year 2006 has been reported missing."
[Comfyllama] This would be the 4th breach in a row reported on The Breach Blog that was a result of a lost or stolen, unencrypted laptop. This is also the 2nd breach in a row that concerned a contractor.
"The facts as determined by the company's investigation strongly indicate that this was a random event, and that the personal information was not specifically targeted."
[Comfyllama] This is a minimizing statement meant to assure victims that the disclosure of their information is not really as big of a risk as it may seem. Administaff would have no way to tell if this laptop or the information contained therein were a specific target or not. People should not let this statement detract from the fact that their information WAS NOT properly secured and was subsequently lost (or stolen).
"At this time, the company has no reason to believe that the personal information has been accessed or used improperly."
[Comfyllama] Notice a pattern?
"The laptop computer, which was reported missing on Oct. 3, 2007, is password protected; however, the personal information was not saved in an encrypted location, which is a clear violation of company policies."
[Comfyllama] Another minimizing statement. The bad; password protection is little more than no protection and that confidential data was not encrypted. The good; at least Administaff has policy that when followed would have prevented this. Policies without enforcement don't do much to protect information though.
"The confidential data was being compiled in response to a governmental reporting requirement and included names, addresses and Social Security numbers for most worksite employees paid by Administaff in 2006."
"The company is taking steps to notify approximately 96,000 former worksite employees and approximately 63,000 current worksite employees in writing and will offer to them one year of free credit monitoring services with fraud resolution assistance."
[Comfyllama] People need to realize that once confidentiality is breached, there is NO getting it back. The information does not go back to secret after a year and the identity of a victim doesn't change after a year.
"Administaff has also established a toll-free dedicated helpline and Web site for affected individuals and clients. Affected individuals can find additional information to assist them at www.administaff.com/idprotection."
""Maintaining the integrity of confidential information is of utmost importance to Administaff, and we continue to take appropriate measures to safeguard the security of personal data," said Paul J. Sarvadi, Administaff chairman and chief executive officer. "We deeply regret that this incident occurred. While we have no evidence to suggest the information stored on the computer has been accessed or misused, we are taking precautionary measures to ensure that the affected individuals have resources available to protect themselves.""
[Comfyllama] I'm sorry, maybe it's just the mood I am in today, but this apology was nice until the attempt to minimize the situation again. I am irritated, and I'm not even a victim. It's a positive sign that the CEO made a statement because the "buck stops with him" so to speak.
Commentary:
I am truly irked by this breach for some reason other than the fact that this is yet another stolen laptop that contained sensitive personal information that was not encrypted. To make matters worse, this was another contractor. As I stated in my last posting, contractors accessing the information resources of an organization must comply with the same policies as employees. Contractors must also be audited for compliance on a regular basis. The encryption piece should be obvious, but I guess it ain't so obvious to the companies that keep losing innocent peoples' data.
Past Breaches:
Unknown
Posts Atom 1.0
Comments