Nestle Waters North America employee affected by Systematic Automation breach
Technorati Tag: Security Breach
Date Reported:
2/26/08
Organization:
Nestle Waters North America Inc. ("NWNA")
Contractor/Consultant/Branch:
*
*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08
Victims:
Employees of NWNA in 2006
Number Affected:
8,245
Types of Data:
Names, dates of birth, addresses and Social Security numbers.
Breach Description:
Computer equipment was stolen from a Nestle Waters North America ("NWNA") vendor, Systematic Automation that contained sensitive personal information belonging to persons employed with NWNA in 2006. Systematic Automation was employed by NWNA to create and distribute employee benefits statements. So far, this single breach has affected persons affiliated with five separate organizations.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
An Important Notification To Our NWNA Employees:
Systematic Automation Inc. ("SAI"), one of our vendors, recently experienced a breakin at their facility in Fullerton, California. Among other things, a desktop computer was stolen that contained a database of sensitive personal informatiion about NWNA employees, including a list of NWNA employees' names, addresses, dates of birth, and social security numbers.
This database only contained information about employees that were on the payroll as of February 1, 2006.
The information was password protected, but was not in an encrypted format.
[Evan] A username and password (most likely Windows operating system) is not adequate protection for confidential information. A Windows XP/2000 password can be bypassed in a matter of minutes. IF the desktop computer were stolen for the information it contained, then we should consider it disclosed. Although encryption is not a perfect solution, it reduces the risk of exposure to an acceptable level in most circumstances.
We use SAI to create and distribute your employee benefits statements. In order for SAI to properly complete the work, we must provide SAI with certain personal information.
[Evan] Understood, but then SAI needs to be regularly monitored for compliance with policy around the protection of such information.
We deeply regret that this incident occurred and we are talking immediate steps to make sure that something like this does not happen again.
At this time, we do not know if the thieves stole the computer with the intent to use the personal information for credit fraud purposes or whether this was merely a random criminal act.
The Fullerton Police Department is investigating the incident and SAI is cooperating fully with the Police Department investigation.
If this stolen personal information got in the wrong hands, however, you are at risk for identity theft or fraud.
NWNA will also provide, at no cost to you, one year of premium credit monitoring from Equifax, a leading credit monitoring company.
[Evan] Equifax is a leading credit monitoring company, but also one of the three credit reporting agencies. It amazes me how Experian has capitalized on the information they collect, manage and sell. They are responsible for keeping accurate records, but at the same time will charge people a fee to make sure that they are doing what they are supposed to be doing. Something should give.
In the near future, instructions on enrollment will be mailed directly to your homes.
In addition, NWNA is in the process of establishing a hotline to provide you with the resources you need to get your questions answered.
NWNA sincerely regrets any inconvenience this incident may cause you.
Commentary:
As mentioned earlier, NWNA is the fifth known organization to be affected by the single breakin at Systematic Automation. It is becoming more and more clear that Systematic Automation did not follow some information security "best practices" by segmenting confidential customer data and encrypting it at rest.
I have not yet seen a statement from Systematic Automation.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Nestle Waters North America:
Unknown
Systematic Automation:
February, 2008 - Systematic Automation breach continued...
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees
Date Reported:2/26/08
Organization:
Nestle Waters North America Inc. ("NWNA")
Contractor/Consultant/Branch:
*
*This breach is related to:
"Theft from vendor affects Modesto City Schools employees" dated 2/12/08,
"L.A. Dept. of Water of Power employees exposed" dated 2/19/08, and
"Clovis Unified School District employees receive notice" dated 2/21/08
"Systematic Automation breach continued..." dated 2/22/08
Victims:
Employees of NWNA in 2006
Number Affected:
8,245
Types of Data:
Names, dates of birth, addresses and Social Security numbers.
Breach Description:
Computer equipment was stolen from a Nestle Waters North America ("NWNA") vendor, Systematic Automation that contained sensitive personal information belonging to persons employed with NWNA in 2006. Systematic Automation was employed by NWNA to create and distribute employee benefits statements. So far, this single breach has affected persons affiliated with five separate organizations.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
An Important Notification To Our NWNA Employees:
Systematic Automation Inc. ("SAI"), one of our vendors, recently experienced a breakin at their facility in Fullerton, California. Among other things, a desktop computer was stolen that contained a database of sensitive personal informatiion about NWNA employees, including a list of NWNA employees' names, addresses, dates of birth, and social security numbers.
This database only contained information about employees that were on the payroll as of February 1, 2006.
The information was password protected, but was not in an encrypted format.
[Evan] A username and password (most likely Windows operating system) is not adequate protection for confidential information. A Windows XP/2000 password can be bypassed in a matter of minutes. IF the desktop computer were stolen for the information it contained, then we should consider it disclosed. Although encryption is not a perfect solution, it reduces the risk of exposure to an acceptable level in most circumstances.
We use SAI to create and distribute your employee benefits statements. In order for SAI to properly complete the work, we must provide SAI with certain personal information.
[Evan] Understood, but then SAI needs to be regularly monitored for compliance with policy around the protection of such information.
We deeply regret that this incident occurred and we are talking immediate steps to make sure that something like this does not happen again.
At this time, we do not know if the thieves stole the computer with the intent to use the personal information for credit fraud purposes or whether this was merely a random criminal act.
The Fullerton Police Department is investigating the incident and SAI is cooperating fully with the Police Department investigation.
If this stolen personal information got in the wrong hands, however, you are at risk for identity theft or fraud.
NWNA will also provide, at no cost to you, one year of premium credit monitoring from Equifax, a leading credit monitoring company.
[Evan] Equifax is a leading credit monitoring company, but also one of the three credit reporting agencies. It amazes me how Experian has capitalized on the information they collect, manage and sell. They are responsible for keeping accurate records, but at the same time will charge people a fee to make sure that they are doing what they are supposed to be doing. Something should give.
In the near future, instructions on enrollment will be mailed directly to your homes.
In addition, NWNA is in the process of establishing a hotline to provide you with the resources you need to get your questions answered.
NWNA sincerely regrets any inconvenience this incident may cause you.
Commentary:
As mentioned earlier, NWNA is the fifth known organization to be affected by the single breakin at Systematic Automation. It is becoming more and more clear that Systematic Automation did not follow some information security "best practices" by segmenting confidential customer data and encrypting it at rest.
I have not yet seen a statement from Systematic Automation.
March 12, 2008 - UPDATE: A computer stolen from Systematic Automation is found
Past Breaches:
Nestle Waters North America:
Unknown
Systematic Automation:
February, 2008 - Systematic Automation breach continued...
February, 2008 - Clovis Unified School District employees receive notice
February, 2008 - L.A. Dept. of Water of Power employees exposed
February, 2008 - Theft from vendor affects Modesto City Schools employees
Posted by Evan Francen at 3/4/2008 9:59 AM 
Categories: Systematic Automation Inc, Stolen Computer, Nestle Waters North America
Categories: Systematic Automation Inc, Stolen Computer, Nestle Waters North America
Posts Atom 1.0
Comments