ESMNE inadvertently discloses employee financial details
Technorati Tag: Security Breach
Date Reported:
3/26/08
Organization:
Eastern Sales and Marketing New England ("ESMNE")
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
137
Types of Data:
Names, bank identification numbers and bank account numbers
Breach Description:
"I am writing to notify you that on March 20, 2008, Eastern Sales and Marketing New England ("ESMNE") learned that it inadvertently disclosed to one of its former employees your name, bank identification number and bank account number."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to notify you that on March 20, 2008, Eastern Sales and Marketing New England ("ESMNE") learned that it inadvertently disclosed to one of its former employees the name, bank identification number and bank account number of 137 of current and former employees.
ESMNE believes that 8 of these 137 affected employees are New Hampshire residents.
On March 13, 2008, ESMNE sent a letter to a former employee regarding funds (totaling $985.44) that it erroneously deposited into her account during her employment with the company.
[Evan] This information is unique in a breach notification.
The funds should have been deposited into another employee's account as reimbursement for his business expenses. ESMNE has reimbursed that other employee, but would like the former employee to return the money she received in error.
[Evan] More interesting and unique information.
ESMNE enclosed with the March 13th letter documents verifying that the money was deposited in error.
Unfortunately, ESMNE failed to redact from those documents information related to other employees. That information included the employees' names, bank identification numbers and bank account numbers.
The employee who received the inadvertent disclosure returned the documents to ESMNE and stated that she does not want any of the inadvertently disclosed information in her possession.
ESMNE has sent notices to all of the affected New Hampshire residents.
We have no reason to believe that your information has been misused. In fact, the former employee to whom ESMNE accidentally disclosed the information returned all of the information to us and informed us that she does not want the information in her possession.
[Evan] It is a good thing that the person receiving the information was honest about this matter. If the information had been sent to someone with lesser morals, the company may have never been aware of their mistake.
Nevertheless, we want to inform you of the situation and suggest some steps you may want to consider to protect yourself.
We take seriously our commitment to safeguarding confidential information entrusted to us by our employees, such as your personal information.
Rest assured that we are carefully reviewing this matter and taking measures to ensure that it does not happen again.
Again, we apologize for any inconvenience or concerns the disclosure of your information to one former employee may cause.
We are committed to assisting you in protecting yourself. If you have any questions or need additional information, please contact Cindy Murray at .
Commentary:
A simple user error on the part of ESMNE? I wonder if the employee that sent the letter to the former employee was aware of the information and it's sensitivity. Well designed and relevant information security awareness (and training) can limit the number and and impact of employee errors.
Past Breaches:
Unknown
Date Reported:3/26/08
Organization:
Eastern Sales and Marketing New England ("ESMNE")
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
137
Types of Data:
Names, bank identification numbers and bank account numbers
Breach Description:
"I am writing to notify you that on March 20, 2008, Eastern Sales and Marketing New England ("ESMNE") learned that it inadvertently disclosed to one of its former employees your name, bank identification number and bank account number."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to notify you that on March 20, 2008, Eastern Sales and Marketing New England ("ESMNE") learned that it inadvertently disclosed to one of its former employees the name, bank identification number and bank account number of 137 of current and former employees.
ESMNE believes that 8 of these 137 affected employees are New Hampshire residents.
On March 13, 2008, ESMNE sent a letter to a former employee regarding funds (totaling $985.44) that it erroneously deposited into her account during her employment with the company.
[Evan] This information is unique in a breach notification.
The funds should have been deposited into another employee's account as reimbursement for his business expenses. ESMNE has reimbursed that other employee, but would like the former employee to return the money she received in error.
[Evan] More interesting and unique information.
ESMNE enclosed with the March 13th letter documents verifying that the money was deposited in error.
Unfortunately, ESMNE failed to redact from those documents information related to other employees. That information included the employees' names, bank identification numbers and bank account numbers.
The employee who received the inadvertent disclosure returned the documents to ESMNE and stated that she does not want any of the inadvertently disclosed information in her possession.
ESMNE has sent notices to all of the affected New Hampshire residents.
We have no reason to believe that your information has been misused. In fact, the former employee to whom ESMNE accidentally disclosed the information returned all of the information to us and informed us that she does not want the information in her possession.
[Evan] It is a good thing that the person receiving the information was honest about this matter. If the information had been sent to someone with lesser morals, the company may have never been aware of their mistake.
Nevertheless, we want to inform you of the situation and suggest some steps you may want to consider to protect yourself.
We take seriously our commitment to safeguarding confidential information entrusted to us by our employees, such as your personal information.
Rest assured that we are carefully reviewing this matter and taking measures to ensure that it does not happen again.
Again, we apologize for any inconvenience or concerns the disclosure of your information to one former employee may cause.
We are committed to assisting you in protecting yourself. If you have any questions or need additional information, please contact Cindy Murray at .
Commentary:
A simple user error on the part of ESMNE? I wonder if the employee that sent the letter to the former employee was aware of the information and it's sensitivity. Well designed and relevant information security awareness (and training) can limit the number and and impact of employee errors.
Past Breaches:
Unknown
Posted by Evan Francen at 4/6/2008 4:41 PM 
Categories: Eastern Sales and Marketing (NE), Employee Mistake
Categories: Eastern Sales and Marketing (NE), Employee Mistake
Posts Atom 1.0
Comments