Technorati Tag: Security Breach

Date Reported:
2/15/08

Organization:
Lexmark International

Contractor/Consultant/Branch:
None

Victims:
"current and former employees"

Number Affected:
"some"*

*As of December 31, 2006, of the approximately 14,900 employees worldwide, 3,900 are located in the U.S. and the remaining 11,000 are located in Europe, Canada, Latin America, Asia Pacific, the Middle East and Africa.

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
Lexmark employees have been notified by the company that some of their senstive personal information was inadvertently posted on a company-owned file transfer site.

Reference URL:
WKYT Channel 27 News story
Lexington Herald-Leader News story

Report Credit:
Scott Sloan, Lexington Herald-Leader

Response:
From the online sources cited above:

Lexmark International told employees this week that information that would identify them personally was inadvertently posted on a company file transfer site.
[Evan] It is not stated whether or not the site was publicly available.  I assume that it was, much like ftp://ftp.lexmark.com.

In a letter to employees, Lexmark officials say files containing personal information from some current and former workers were accessed by two unknown parties, last month. Those files contained names, addresses and social security numbers.

It's uncertain whether anyone with malicious intent accessed the files.

The company will not say publicly what type of data was posted, but it did tell affected employees, said spokeswoman Barbara Leary. Lexmark also won't say publicly how many employees were affected.

Affected employees are being offered free credit-monitoring insurance and identity-theft insurance for a year.

The incident occurred Jan. 29 when the data were posted to a site used to exchange information with third-party companies.

"It wasn't a breach of systems," Leary said. "It was human error."
[Evan] A breach is a breach much like a pig is a pig, even if one is wearing a dress.

Within six hours, the release had been discovered and the files were removed, she said.

"We know that there were a couple of unknown IP addresses that accessed the data," Leary said. "We don't know if they downloaded it."

The company waited to disclose the incident to investigate exactly what had happened, the nature of the data released and to discover who was affected, she said.

there's no evidence that the information has been misused

Commentary:
On the one hand, we are all human and all humans make mistakes.  On the other hand, I question how this all happened and what kind of training did the culprit receive in the proper handling of confidential information.

According to the report, Lexmark detected the breach within six hours, which helped significantly in reducing the amount of risk.  It would be interesting to know the "unknown IP addresses".

Past Breaches:
Unknown