Mistake leads to disclosure affecting Daymon Worldwide employees
Technorati Tag: Security Breach
Date Reported:
10/05/07
Organization:
Daymon Worldwide
Contractor/Consultant/Branch:
None
Victims:
Daymon Worldwide employees
Number Affected:
1,416
Types of Data:
Names, employment status, dates of birth, salary, Social Security numbers and other financial data.
Breach Description:
On September 10th, 2007 an employee of Daymon Worldwide inadvertently accessed a file on a Daymon internal file server that contained sensitive personal information relating to Daymon employees participating in employee stock ownership and options plans.
Reference URL:
State of New Hampshire Attorney General Breach Notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official News Hampshire breach notification and supporting documentation:
"Specifically on September 10th, 2007 Kevin Conran, a Daymon employee was accessing files stored on Daymon's file servers and inadvertently accessed a folder relating to employee stock option plans that contained potentially sensitive and personally identifiable information."
[Comfyllama] Something just doesn't seem right about naming an innocent associate in the breach notification, but what is public is public. I use the direct quote in this post because I hope people hold Mr. Conran in high regard for doing the right thing!
"Mr. Conran immediately reported the unsecured files to his superior"
[Comfyllama] Like I said, the right thing.
"Daymon immediately undertook an exhaustive investigation into the cause of the condition allowing unauthorized access, and believes that access to the files in question had been restricted to two employees in Daymon's Payroll Department"
"A decision was made to allow access to two other employees for business purposes, additional coverage for the administration of the stock option plan."
"Daymon's investigation has indicated that in expanding access to these files, all access restrictions were inadvertently removed."
"Daymon's investigation has indicated that it has no reason to believe that anyone else had unauthorized access to this information and has found no evidence that it was used improperly."
"Nor is there any evidence that any of the information involved was downloaded, copied or accessed by the public"
"To correct and prevent any future incidents of this type, default user access rights to none. Each folder containing the type of information involved in this situation now requires explicit user access rights that are authorized by the department head."
[Comfyllama] The National Security Agency has some very good guidance for securing network, server, folder and file resources. These Security Configuration Guides are excellent reads!
"Daymon has also put in place an audit program for its processes used in creating shared folders and in granting access rights to Daymon employees."
Commentary:
Daymon deserves some credit. This response appears to be open, honest and sincere. Kevin Conran also deserves credit for doing the right thing by reporting the incident to his superior "immediately".
This is obviously a breach that occurred through a mistake in the application of user permissions (or rights), but it is not clear how long the wrong permissions were in place on the file(s) in question. It is also not clear if there are any change control processes in place at Daymon that should have caught this prior to disclosure. If there aren't change controls around security permissions and rights, there should be.
Another thing that comes to mind is whether or not this is an IT/information security training issue. Overall, I appreciate the above average response and candidness on the part of Daymon.
Past Breaches:
Unknown
Date Reported:10/05/07
Organization:
Daymon Worldwide
Contractor/Consultant/Branch:
None
Victims:
Daymon Worldwide employees
Number Affected:
1,416
Types of Data:
Names, employment status, dates of birth, salary, Social Security numbers and other financial data.
Breach Description:
On September 10th, 2007 an employee of Daymon Worldwide inadvertently accessed a file on a Daymon internal file server that contained sensitive personal information relating to Daymon employees participating in employee stock ownership and options plans.
Reference URL:
State of New Hampshire Attorney General Breach Notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the official News Hampshire breach notification and supporting documentation:
"Specifically on September 10th, 2007 Kevin Conran, a Daymon employee was accessing files stored on Daymon's file servers and inadvertently accessed a folder relating to employee stock option plans that contained potentially sensitive and personally identifiable information."
[Comfyllama] Something just doesn't seem right about naming an innocent associate in the breach notification, but what is public is public. I use the direct quote in this post because I hope people hold Mr. Conran in high regard for doing the right thing!
"Mr. Conran immediately reported the unsecured files to his superior"
[Comfyllama] Like I said, the right thing.
"Daymon immediately undertook an exhaustive investigation into the cause of the condition allowing unauthorized access, and believes that access to the files in question had been restricted to two employees in Daymon's Payroll Department"
"A decision was made to allow access to two other employees for business purposes, additional coverage for the administration of the stock option plan."
"Daymon's investigation has indicated that in expanding access to these files, all access restrictions were inadvertently removed."
"Daymon's investigation has indicated that it has no reason to believe that anyone else had unauthorized access to this information and has found no evidence that it was used improperly."
"Nor is there any evidence that any of the information involved was downloaded, copied or accessed by the public"
"To correct and prevent any future incidents of this type, default user access rights to none. Each folder containing the type of information involved in this situation now requires explicit user access rights that are authorized by the department head."
[Comfyllama] The National Security Agency has some very good guidance for securing network, server, folder and file resources. These Security Configuration Guides are excellent reads!
"Daymon has also put in place an audit program for its processes used in creating shared folders and in granting access rights to Daymon employees."
Commentary:
Daymon deserves some credit. This response appears to be open, honest and sincere. Kevin Conran also deserves credit for doing the right thing by reporting the incident to his superior "immediately".
This is obviously a breach that occurred through a mistake in the application of user permissions (or rights), but it is not clear how long the wrong permissions were in place on the file(s) in question. It is also not clear if there are any change control processes in place at Daymon that should have caught this prior to disclosure. If there aren't change controls around security permissions and rights, there should be.
Another thing that comes to mind is whether or not this is an IT/information security training issue. Overall, I appreciate the above average response and candidness on the part of Daymon.
Past Breaches:
Unknown
Posts Atom 1.0
Comments