Deloitte & Touche and IKON lose confidential information
Technorati Tag: Security Breach
Date Reported:
12/14/07
Organization:
Deloitte & Touche USA LLP
Contractor/Consultant/Branch:
IKON Office Solutions
Victims:
Current and former partners, principals, and employees of Deloitte & Touche and its subsidiaries
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers, dates of birth, "and other information relating to those personnel, such as employee hire and termination dates"
Breach Description:
An un-encrypted laptop was stolen from an IKON Office Solutions employee on November 19th, 2007 that contained sensitive personally identifiable information belonging to current and former Deloitte & Touche partners, principals and employees. IKON was serving as Deloitte & Touche's document management vendor.
Reference URL:
The New Hampshire State Attorney General breach notification
SC Magazine Story
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
On November 21st, 2007, D&T USA's document management vendor, IKON Office Solutions, Inc. ("IKON"), informed D&T USA that a laptop containing a file with information about current and former partners, principals and employees of D&T USA and its subsidiaries had been stolen from an IKON employee's vehicle two days earlier.
The file included names, Social Security numbers, dates of birth and other information relating to those personnel, such as employee hire and termination dates.
IKON's employee reported the theft to the Walnut Creek, California police department. The police report number is 07-27609.
So far, the computer has not been recovered.
The laptop was not encrypted, but the laptop was password protected.
We have no information indicating the information has been misused.
we are in the process of notifying all affected individuals through first class mail, postage prepaid.
We have contracted with ConsumerInfo.com, Inc., an Experian company, to provide you with one year of credit monitoring, at no cost to you.
We are committed to protecting all confidential information that is entrusted to us. Accordingly, we have suspended all work with the vendor on the pension record scanning project until the vendor can demonstrate that it has implemented appropriate data security protections.
[Evan] Its not uncommon for an organization to overlook the information that vendors and other third-parties access and/or store. Information security controls surrounding vendor access must be addressed in policy, and then followed up standards and controls. I wonder what Deloitte & Touche's policy is around vendor access to confidential information.
if you have any additional questions about this incident, please call the Personal Service Network (PSN) at +1 800 DELOITT (+1 ) and enter 12 to go directly to people who can answer questions about this incident.
Comments on the SC Magazine Story:
What makes Deloitte think that one year of monitoring will be all that is needed for the potential victims. I read where the average victim does not know til well beyond 12 months. - Mike
If "noted security experts" (so called in the article) can't get it right, then we're all in trouble. Laptop drive encryption is extremely easy to implement and manage corporate wide...and has been for years. So, why is this still happening? - Jim
Commentary:
According to the letter to affected individuals, IKON Office Solutions was responsible for scanning pension fund documents.
Although IKON definitely has blame in the cause of this breach, Deloitte & Touche certainly does to. It seems that Deloitte & Touche makes some attempts to deflect their responsibility. Deloitte & Touche was given the information in the first place and they are responsible for what happens to it until it is ultimately destroyed (if it ever gets destroyed). We advise any clients that contract with third parties to create and adopt a "Vendor/Third-Party Access Security Policy". Vendors are required to comply with the policy and many times it is even mentioned in the contract itself. The purpose of the policy is to ensure that vendors and other third-parties secure information at no less of a level than the original company.
The comments made by readers of the SC Magazine story really sum up my immediate thoughts.
Past Breaches:
Unknown
Date Reported:12/14/07
Organization:
Deloitte & Touche USA LLP
Contractor/Consultant/Branch:
IKON Office Solutions
Victims:
Current and former partners, principals, and employees of Deloitte & Touche and its subsidiaries
Number Affected:
Unknown
Types of Data:
Names, Social Security numbers, dates of birth, "and other information relating to those personnel, such as employee hire and termination dates"
Breach Description:
An un-encrypted laptop was stolen from an IKON Office Solutions employee on November 19th, 2007 that contained sensitive personally identifiable information belonging to current and former Deloitte & Touche partners, principals and employees. IKON was serving as Deloitte & Touche's document management vendor.
Reference URL:
The New Hampshire State Attorney General breach notification
SC Magazine Story
Report Credit:
The New Hampshire State Attorney General
Response:
From the online sources cited above:
On November 21st, 2007, D&T USA's document management vendor, IKON Office Solutions, Inc. ("IKON"), informed D&T USA that a laptop containing a file with information about current and former partners, principals and employees of D&T USA and its subsidiaries had been stolen from an IKON employee's vehicle two days earlier.
The file included names, Social Security numbers, dates of birth and other information relating to those personnel, such as employee hire and termination dates.
IKON's employee reported the theft to the Walnut Creek, California police department. The police report number is 07-27609.
So far, the computer has not been recovered.
The laptop was not encrypted, but the laptop was password protected.
We have no information indicating the information has been misused.
we are in the process of notifying all affected individuals through first class mail, postage prepaid.
We have contracted with ConsumerInfo.com, Inc., an Experian company, to provide you with one year of credit monitoring, at no cost to you.
We are committed to protecting all confidential information that is entrusted to us. Accordingly, we have suspended all work with the vendor on the pension record scanning project until the vendor can demonstrate that it has implemented appropriate data security protections.
[Evan] Its not uncommon for an organization to overlook the information that vendors and other third-parties access and/or store. Information security controls surrounding vendor access must be addressed in policy, and then followed up standards and controls. I wonder what Deloitte & Touche's policy is around vendor access to confidential information.
if you have any additional questions about this incident, please call the Personal Service Network (PSN) at +1 800 DELOITT (+1 ) and enter 12 to go directly to people who can answer questions about this incident.
Comments on the SC Magazine Story:
What makes Deloitte think that one year of monitoring will be all that is needed for the potential victims. I read where the average victim does not know til well beyond 12 months. - Mike
If "noted security experts" (so called in the article) can't get it right, then we're all in trouble. Laptop drive encryption is extremely easy to implement and manage corporate wide...and has been for years. So, why is this still happening? - Jim
Commentary:
According to the letter to affected individuals, IKON Office Solutions was responsible for scanning pension fund documents.
Although IKON definitely has blame in the cause of this breach, Deloitte & Touche certainly does to. It seems that Deloitte & Touche makes some attempts to deflect their responsibility. Deloitte & Touche was given the information in the first place and they are responsible for what happens to it until it is ultimately destroyed (if it ever gets destroyed). We advise any clients that contract with third parties to create and adopt a "Vendor/Third-Party Access Security Policy". Vendors are required to comply with the policy and many times it is even mentioned in the contract itself. The purpose of the policy is to ensure that vendors and other third-parties secure information at no less of a level than the original company.
The comments made by readers of the SC Magazine story really sum up my immediate thoughts.
Past Breaches:
Unknown
Posted by Evan Francen at 12/20/2007 2:15 PM 
Categories: Deloitte and Touche, IKON Office Solutions, Stolen Laptop
Categories: Deloitte and Touche, IKON Office Solutions, Stolen Laptop
Posts Atom 1.0
In a lot of cases, confidential information is stolen/passed on/written down to fraudsters by the EMPLOYEE themselves. You would be surprised how much access companies give employees (especially those that haven't been screened). Also, I have heard of NUMEROUS incidents of banks such as the Lending Tree and other loan companies hiring ex-cons.
I do believe that people can rehabilitate in jail, but giving someone fresh out of a jail access to corporate credit card accts w/ names, addresses, and social? I think these companies should be investigated and charged w/ GROSS negligence and pay a massive fine so they start implementing better internal controls.
Most people don't understand how much damage can be done when private information gets into the wrong hands. Unfortunately, ex-cons who have had fraudster cellmates DO.
Reply to this