51,000 Current and former Agilent Technologies employees at risk
Technorati Tag: Security Breach
Date Reported:
3/22/08
Organization:
Agilent Technologies
Contractor/Consultant/Branch:
Stock & Options Solutions
Victims:
Current and former Agilent employees
Number Affected:
51,000
Types of Data:
"names, Social Security numbers, home addresses and details of stock options and other stock-related awards"
Breach Description:
"A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week."
Reference URL:
The Mercury News - Silicon Valley
Report Credit:
Vindu Goel, The Mercury News
Response:
From the online source cited above:
A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week.
[Evan] A person in the comments of Vindu's View From The Valley "Agilent alert: Thief steals laptop with personal info on 51,000 employees" story claims "Estimates show that 700,000 laptops are stolen every year. A little more than 1900 a day!" This number seems high to me, but I guess I wouldn't be too surprised if it were true. Storing confidential information on laptops (especially without additional controls) is risky.
The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.
In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - "in violation of the contracted agreement."
[Evan] We don't often read about a company coming right out and blatantly pointing the finger at their vendor. I like the "call it like you see it" approach.
"It wasn't encrypted, which was a surprise to us," said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman's Wharf.
[Evan] #1, we (meaning information security personnel) should not be surprised by what our vendors are doing with the information we are charged with protecting. Not only should we mandate specific controls in policies and contracts, but we also need to audit for compliance. #2, The vendor employee was bringing the laptop to California for encryption? I don't think there are any requirements that you have to go to California to encrypt laptops. Encryption should have taken place prior to allowing the information on it in the first place, and better yet should be part of a "standard" laptop build.
Flores said Agilent, a Santa Clara maker of test and measurement equipment, has no evidence that the lost data has been used to steal anyone's identity. However, Agilent is offering affected employees one free year of credit monitoring from Equifax.
[Evan] I haven't said this for a while, but credit "monitoring" is an after the fact solution that only alerts a person after they are an identity theft victim. One year of monitoring is good for monitoring information that is no longer useful after one year. Obviously a Social Security number will still be valid after the monitoring has ended.
Ironically, Stock & Option Solutions was hired to make sure that money management firm Smith Barney had properly transferred employee stock data to a new management firm, Fidelity Investments, which had been hired to administer Agilent's stock programs.
Matt O'Brien of Milpitas, a former research manager at Agilent who left in 2001, said he was "disgusted" when he received notice of the theft in his Friday mail.
said O'Brien. "Agilent should have put all of the data into an encrypted format to begin with."
[Evan] Bingo. A victim with more information security common sense than the offender.
Commentary:
At what point do we no longer accept lost or stolen laptops with confidential personal information at risk? Are the myriad of laws, regulations, negative news reports, etc. having a positive impact in reducing the frequency and number of victims? Maybe it's too early to tell.
I am also curious what Agilent and/or Stock & Options Solutions are planning in order to prevent similar circumstances in the future.
Past Breaches:
Unknown
Date Reported:3/22/08
Organization:
Agilent Technologies
Contractor/Consultant/Branch:
Stock & Options Solutions
Victims:
Current and former Agilent employees
Number Affected:
51,000
Types of Data:
"names, Social Security numbers, home addresses and details of stock options and other stock-related awards"
Breach Description:
"A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week."
Reference URL:
The Mercury News - Silicon Valley
Report Credit:
Vindu Goel, The Mercury News
Response:
From the online source cited above:
A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week.
[Evan] A person in the comments of Vindu's View From The Valley "Agilent alert: Thief steals laptop with personal info on 51,000 employees" story claims "Estimates show that 700,000 laptops are stolen every year. A little more than 1900 a day!" This number seems high to me, but I guess I wouldn't be too surprised if it were true. Storing confidential information on laptops (especially without additional controls) is risky.
The data includes employee names, Social Security numbers, home addresses and details of stock options and other stock-related awards.
In the letter, Agilent blamed the San Jose vendor, Stock & Option Solutions, for failing to scramble or otherwise safeguard the data - "in violation of the contracted agreement."
[Evan] We don't often read about a company coming right out and blatantly pointing the finger at their vendor. I like the "call it like you see it" approach.
"It wasn't encrypted, which was a surprise to us," said Agilent spokeswoman Amy Flores. She said the vendor told Agilent that an East Coast employee had brought the data-laden laptop to California for encryption, but someone broke into her car and stole the computer and her other belongings while the vehicle was parked near Fisherman's Wharf.
[Evan] #1, we (meaning information security personnel) should not be surprised by what our vendors are doing with the information we are charged with protecting. Not only should we mandate specific controls in policies and contracts, but we also need to audit for compliance. #2, The vendor employee was bringing the laptop to California for encryption? I don't think there are any requirements that you have to go to California to encrypt laptops. Encryption should have taken place prior to allowing the information on it in the first place, and better yet should be part of a "standard" laptop build.
Flores said Agilent, a Santa Clara maker of test and measurement equipment, has no evidence that the lost data has been used to steal anyone's identity. However, Agilent is offering affected employees one free year of credit monitoring from Equifax.
[Evan] I haven't said this for a while, but credit "monitoring" is an after the fact solution that only alerts a person after they are an identity theft victim. One year of monitoring is good for monitoring information that is no longer useful after one year. Obviously a Social Security number will still be valid after the monitoring has ended.
Ironically, Stock & Option Solutions was hired to make sure that money management firm Smith Barney had properly transferred employee stock data to a new management firm, Fidelity Investments, which had been hired to administer Agilent's stock programs.
Matt O'Brien of Milpitas, a former research manager at Agilent who left in 2001, said he was "disgusted" when he received notice of the theft in his Friday mail.
said O'Brien. "Agilent should have put all of the data into an encrypted format to begin with."
[Evan] Bingo. A victim with more information security common sense than the offender.
Commentary:
At what point do we no longer accept lost or stolen laptops with confidential personal information at risk? Are the myriad of laws, regulations, negative news reports, etc. having a positive impact in reducing the frequency and number of victims? Maybe it's too early to tell.
I am also curious what Agilent and/or Stock & Options Solutions are planning in order to prevent similar circumstances in the future.
Past Breaches:
Unknown
Posted by Evan Francen at 3/25/2008 9:07 AM 
Categories: Stolen Laptop, Stock and Options Solutions, Agilent Technologies
Categories: Stolen Laptop, Stock and Options Solutions, Agilent Technologies
Posts Atom 1.0
I was notified today by THQ Inc. (a video game publisher) that Stock Options Solutions had a laptop stolen with no Encryption but was password encrypted.
I do not know if it's the same laptop or not.
I've found no mention of this anywhere other than Agilent based articles.
Reply to this