Computers stolen from J. Lohr Vineyards & Wines
Technorati Tag: Security Breach
Date Reported:
2/13/08
Organization:
J. Lohr Vineyards & Wines ("J. Lohr")
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
Unknown
Types of Data:
Names, addresses, Social Security numbers, and dates of birth
Breach Description:
Two computers were stolen from the office of J. Lohr Vineyards & Wines in San Jose, California. One of the computers contained sensitive personal information belonging to current and former employees who were/are participants in the company employee stock ownership program (ESOP).
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On December 19, 2007, a thief broke into a locked office at the Company's headquarters and stole two computers.
We immediately reported the theft to the San Jose Police Department. The police are investigating the theft, and we are cooperating fully in the investigation.
[Evan] This may or may not always be a good idea. Understand the implications of contacting law enforcement before deciding to do so (with information security breaches). It is always a good idea to consult with your legal counsel when creating your incident response procedures to determine the best time to contact law enforcement.
We have worked to reconstruct the information stored on the stolen computers. We have determined that one of the computers contained information about participants in our Company ESOP, including the names, addresses, Social Security Numbers (SSN) and dates of birth of current and former J. Lohr employees, including yours.
J. Lohr Vineyards and Wines ("J. Lohr") recognizes the importance of safeguarding its personnel information.
Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] I agree that it is not possible to protect against all criminal conduct, but it was certainly possible to protect against this.
At this point, we have no reason to believe that the theft was directed at the information stored on this computer.
[Evan] There is no reason to believe that the theft was NOT directed at the information either.
We also have received no reports to date, indicating that the information stored on this computer has been misused.
We are in the process of evaluating steps that can be taken to make a recurrence of this incident less likely.
[Evan] There are always steps that can be taken to reduce risk.
J. Lohr recognizes that the theft of your personal information, and any related inconvenience, might be upsetting. We regret that this incident has occurred, and we apologize for any inconvenience it may cause you.
To lessen the potential inconvenience to you and to reduce the risk that you might be victimized by identity theft, we have arranged for one year of free credit monitoring
You have ninety (90) days from the date of this letter to activate this membership.
Commentary:
According to the breach notification, there was only one person affected who resides in the state of New Hampshire, but this is not a good indication of how many current and former employees may be affected. J. Lohr is a California company.
There is no mention as to whether or not this information was encrypted, so I am assuming that it was not. There could be many information security improvement suggestions that come out of this breach. There are thousands of companies that think they are doing the right thing with their information security dollars, but miss the mark.
Past Breaches:
Unknown
Date Reported:2/13/08
Organization:
J. Lohr Vineyards & Wines ("J. Lohr")
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
Unknown
Types of Data:
Names, addresses, Social Security numbers, and dates of birth
Breach Description:
Two computers were stolen from the office of J. Lohr Vineyards & Wines in San Jose, California. One of the computers contained sensitive personal information belonging to current and former employees who were/are participants in the company employee stock ownership program (ESOP).
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
On December 19, 2007, a thief broke into a locked office at the Company's headquarters and stole two computers.
We immediately reported the theft to the San Jose Police Department. The police are investigating the theft, and we are cooperating fully in the investigation.
[Evan] This may or may not always be a good idea. Understand the implications of contacting law enforcement before deciding to do so (with information security breaches). It is always a good idea to consult with your legal counsel when creating your incident response procedures to determine the best time to contact law enforcement.
We have worked to reconstruct the information stored on the stolen computers. We have determined that one of the computers contained information about participants in our Company ESOP, including the names, addresses, Social Security Numbers (SSN) and dates of birth of current and former J. Lohr employees, including yours.
J. Lohr Vineyards and Wines ("J. Lohr") recognizes the importance of safeguarding its personnel information.
Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] I agree that it is not possible to protect against all criminal conduct, but it was certainly possible to protect against this.
At this point, we have no reason to believe that the theft was directed at the information stored on this computer.
[Evan] There is no reason to believe that the theft was NOT directed at the information either.
We also have received no reports to date, indicating that the information stored on this computer has been misused.
We are in the process of evaluating steps that can be taken to make a recurrence of this incident less likely.
[Evan] There are always steps that can be taken to reduce risk.
J. Lohr recognizes that the theft of your personal information, and any related inconvenience, might be upsetting. We regret that this incident has occurred, and we apologize for any inconvenience it may cause you.
To lessen the potential inconvenience to you and to reduce the risk that you might be victimized by identity theft, we have arranged for one year of free credit monitoring
You have ninety (90) days from the date of this letter to activate this membership.
Commentary:
According to the breach notification, there was only one person affected who resides in the state of New Hampshire, but this is not a good indication of how many current and former employees may be affected. J. Lohr is a California company.
There is no mention as to whether or not this information was encrypted, so I am assuming that it was not. There could be many information security improvement suggestions that come out of this breach. There are thousands of companies that think they are doing the right thing with their information security dollars, but miss the mark.
Past Breaches:
Unknown
Posts Atom 1.0
Comments