BJs Wholesale Club's noble intentions
Technorati Tag: Security Breach
Date Reported:
1/15/08
Organization:
BJs Wholesale Club
Contractor/Consultant/Branch:
None
Victims:
Participants in the BJs tuition reimbursement program
Number Affected:
Unknown
Types of Data:
Names and Social Security numbers
Breach Description:
A mobile device used by a BJs employee containing sensitive personal information belonging to participants in the BJs tuition reimbursement program has gone missing. The team member that noticed the missing thumb drive was in the midst of changing Social Security number-based records to employee identification numbers at the time of the loss.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently undertook a project to update the list of participants in our tuition reimbursement programs. Part of that work was to remove the social security numbers included in that list, and replace them with employee identification numbers.
The Team Member working on the project last accessed the data, contained on a mobile back-up device (often called a "zip drive" or "thumb drive"), on December 31, 2007.
[Evan] I assume that this was a thumb drive (or flash drive), not a zip drive. They are not one in the same. Thumb drives are not good back-up devices for confidential information without encryption, and even then they are a little "iffy" in my opinion.
On January 3,2008, the Team Member discovered that the device was missing. That drive contained a file which included your name and social security number.
We take the security of our Team Members' personal information very seriously and regret that this incident occurred.
To date, we have received no indication that the information on this device has been accessed or misused, or even that the device is in the hands of someone seeking to misuse the information.
However, we do wish to take appropriate and precautionary measures to assist you in protecting your personal information.
BJ's Wholesale Club, Inc. is making arrangements to provide you with one year of credit monitoring at no cost to you.
As we review this incident, we are evaluating our policies and procedures to strengthen and reinforce our security practices pertaining to the use of mobile storage devices.
We are recalling all drives that are currently being used and replacing them with encrypted, password-protected drives.
[Evan] This is an excellent practice.
The company's security policies will be provided along with each newly-issued device.
[Evan] Training would be a very good addition.
We are committed to securely maintaining and protecting the privacy of our employees and will continue to take measures to help ensure that this does not happen again.
We deeply regret any inconvenience this incident may cause you. If you have any further questions or if there is anything BJ's Wholesale Club can do to assist you, please call 1-
Commentary:
This is an unfortunate breach. BJs was doing the right thing by converting Social Security number-based identifiers to employee identification numbers. The intent was/is noble. BJs is taking the necessary steps to reduce the chances of a similar occurrence.
Past Breaches:
Unknown
Date Reported:1/15/08
Organization:
BJs Wholesale Club
Contractor/Consultant/Branch:
None
Victims:
Participants in the BJs tuition reimbursement program
Number Affected:
Unknown
Types of Data:
Names and Social Security numbers
Breach Description:
A mobile device used by a BJs employee containing sensitive personal information belonging to participants in the BJs tuition reimbursement program has gone missing. The team member that noticed the missing thumb drive was in the midst of changing Social Security number-based records to employee identification numbers at the time of the loss.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We recently undertook a project to update the list of participants in our tuition reimbursement programs. Part of that work was to remove the social security numbers included in that list, and replace them with employee identification numbers.
The Team Member working on the project last accessed the data, contained on a mobile back-up device (often called a "zip drive" or "thumb drive"), on December 31, 2007.
[Evan] I assume that this was a thumb drive (or flash drive), not a zip drive. They are not one in the same. Thumb drives are not good back-up devices for confidential information without encryption, and even then they are a little "iffy" in my opinion.
On January 3,2008, the Team Member discovered that the device was missing. That drive contained a file which included your name and social security number.
We take the security of our Team Members' personal information very seriously and regret that this incident occurred.
To date, we have received no indication that the information on this device has been accessed or misused, or even that the device is in the hands of someone seeking to misuse the information.
However, we do wish to take appropriate and precautionary measures to assist you in protecting your personal information.
BJ's Wholesale Club, Inc. is making arrangements to provide you with one year of credit monitoring at no cost to you.
As we review this incident, we are evaluating our policies and procedures to strengthen and reinforce our security practices pertaining to the use of mobile storage devices.
We are recalling all drives that are currently being used and replacing them with encrypted, password-protected drives.
[Evan] This is an excellent practice.
The company's security policies will be provided along with each newly-issued device.
[Evan] Training would be a very good addition.
We are committed to securely maintaining and protecting the privacy of our employees and will continue to take measures to help ensure that this does not happen again.
We deeply regret any inconvenience this incident may cause you. If you have any further questions or if there is anything BJ's Wholesale Club can do to assist you, please call 1-
Commentary:
This is an unfortunate breach. BJs was doing the right thing by converting Social Security number-based identifiers to employee identification numbers. The intent was/is noble. BJs is taking the necessary steps to reduce the chances of a similar occurrence.
Past Breaches:
Unknown
Posts Atom 1.0
Comments