Stolen Wendy's laptop affects 1,092 employees
Technorati Tag: Security Breach
Date Reported:
12/21/07
Organization:
Wendy's International, Inc.
Contractor/Consultant/Branch:
None
Victims:
Wendy's employees
Number Affected:
1,092
Types of Data:
Name, email address, Social Security number, employee identification number, and salary information.
Breach Description:
A Wendy's laptop was stolen during a car burglary at a company employee's home on December 1, 2007. The laptop contained sensitive personal information belonging to 1,092 Wendy's employees including Social Security numbers and salary information. The employee reported the theft to Wendy's on December 3rd, and Wendy's reported the breach on December 21st.
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification:
We are writing to advise you of a recent incident involving the theft of a company-issued laptop containing certain personal information belonging to Wendy's employees.
On December 3, 2007, we were notified by any employee of a car burglary at an employee's residence on December 1, 2007, which resulted in the theft of a company-issued laptop.
Several cars in the neighborhood were the subject of break-ins that evening. Accordingly, it may well be that the computer data was not the target of the burglary, that the perpetrators are not aware that personal information in on the laptop, or that they are not sophisticated enough to access the data (the employee's log-in and password are required for traditional access methods, and the information was in a subfolder with an uninformative title).
[Evan] I can see the logic in this statement, but it doesn't excuse the fact that the information was not well protected. Little (or no) sophistication is required for someone to gain access to the data on the laptop (circumvent the employee log-in) if someone wanted to, and there is little (or no) security in the fact that the information wasn't labeled "identitythiefopenme.xls".
The information included the name, email address, social security number, employee identification number, and salary information
The total number of affected individuals was around 1092 (U.S.)
In order to ensure that affected individuals could take immediate steps to protect themselves from possible identity theft or other monetary damage, Wendy's will be sending a communication by first class mail on December 21, 2007
[Evan] Not really so "immediate", unless 20+ days is immediate.
at this time Wendy's has no specific knowledge that any information contained on the laptop has been accessed or misused
We are also determining internally whether having that data on the laptop was consistent with Wendy's data security policies and exceptions.
[Evan] This is the one statement that is the most troubling to me. The letter was written by the Wendy's Chief Information Officer (CIO) and you would think that a person in this position would know without too much investigation. Information security policies must be clear and concise so that all people completely understand them. Avoid gray areas whenever possible and create a policy waiver request and approval process for exceptional circumstances. Policy waivers that are approved (granted) are logged and archived.
If you have questions, please contact your local HR staff member or contact Wendy's International, Inc. Corporate Office at 1- and when prompted by the automated attendant, dial ext. 8052.
Please also accept my personal apology for any concern that this situation might create for you.
Commentary:
What can you say other than what was already written above. This is another instance of confidential data that was not adequately secured. It baffles me that there is a question as to whether or not the actions that led to this breach are against company policy. If the storage of confidential information on mobile media (thumb drives, CDs, DVDs, laptops, etc.) without encryption (and other controls) is not in policy, it certainly should be! Information security training and awareness also appear to be lacking.
Past Breaches:
Unknown

12/21/07
Organization:
Wendy's International, Inc.
Contractor/Consultant/Branch:
None
Victims:
Wendy's employees
Number Affected:
1,092
Types of Data:
Name, email address, Social Security number, employee identification number, and salary information.
Breach Description:
A Wendy's laptop was stolen during a car burglary at a company employee's home on December 1, 2007. The laptop contained sensitive personal information belonging to 1,092 Wendy's employees including Social Security numbers and salary information. The employee reported the theft to Wendy's on December 3rd, and Wendy's reported the breach on December 21st.
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
New Hampshire State Attorney General
Response:
From the official New Hampshire breach notification:
We are writing to advise you of a recent incident involving the theft of a company-issued laptop containing certain personal information belonging to Wendy's employees.
On December 3, 2007, we were notified by any employee of a car burglary at an employee's residence on December 1, 2007, which resulted in the theft of a company-issued laptop.
Several cars in the neighborhood were the subject of break-ins that evening. Accordingly, it may well be that the computer data was not the target of the burglary, that the perpetrators are not aware that personal information in on the laptop, or that they are not sophisticated enough to access the data (the employee's log-in and password are required for traditional access methods, and the information was in a subfolder with an uninformative title).
[Evan] I can see the logic in this statement, but it doesn't excuse the fact that the information was not well protected. Little (or no) sophistication is required for someone to gain access to the data on the laptop (circumvent the employee log-in) if someone wanted to, and there is little (or no) security in the fact that the information wasn't labeled "identitythiefopenme.xls".
The information included the name, email address, social security number, employee identification number, and salary information
The total number of affected individuals was around 1092 (U.S.)
In order to ensure that affected individuals could take immediate steps to protect themselves from possible identity theft or other monetary damage, Wendy's will be sending a communication by first class mail on December 21, 2007
[Evan] Not really so "immediate", unless 20+ days is immediate.
at this time Wendy's has no specific knowledge that any information contained on the laptop has been accessed or misused
We are also determining internally whether having that data on the laptop was consistent with Wendy's data security policies and exceptions.
[Evan] This is the one statement that is the most troubling to me. The letter was written by the Wendy's Chief Information Officer (CIO) and you would think that a person in this position would know without too much investigation. Information security policies must be clear and concise so that all people completely understand them. Avoid gray areas whenever possible and create a policy waiver request and approval process for exceptional circumstances. Policy waivers that are approved (granted) are logged and archived.
If you have questions, please contact your local HR staff member or contact Wendy's International, Inc. Corporate Office at 1- and when prompted by the automated attendant, dial ext. 8052.
Please also accept my personal apology for any concern that this situation might create for you.
Commentary:
What can you say other than what was already written above. This is another instance of confidential data that was not adequately secured. It baffles me that there is a question as to whether or not the actions that led to this breach are against company policy. If the storage of confidential information on mobile media (thumb drives, CDs, DVDs, laptops, etc.) without encryption (and other controls) is not in policy, it certainly should be! Information security training and awareness also appear to be lacking.
Past Breaches:
Unknown
Comments