Stolen Griffin Electric laptop exposes employee information
Technorati Tag: Security Breach
Date Reported:
3/21/08
Organization:
Wayne J. Griffin Electric Inc.
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*The New Hampshire State Attorney General was notified of "approximately 55 New Hampshire residents"
Types of Data:
"employee names, social security numbers and dates of birth"
Breach Description:
"Please be advised that our company experienced a potential data breach that occurred when one of our Human Resources employees had their home broken into which involved a theft of personal items, along with a password protected company laptop computer and company health plan insurance invoices. The theft occurred over this past weekend."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
This letter is to notify you that an employee in our Human Resources Department had personal items stolen from her home over the weekend, along with a password protected Company laptop computer, and Company health plan insurance invoices.
[Evan] Yeah, don't forget to mention "password protected", even though it likely provides little to no value of protection.
The Worcester, MA city police department was alerted the same day as the theft and an investigation is underway.
The laptop contained the names of certain employees, their social security numbers, and dates of birth.
[Evan] This information should NOT be on a laptop (or other mobile device) without additional controls. Although no control is perfect, clearly encryption would be a control that could have significantly reduced the risk of exposure.
The health insurance paper invoices listed employee names and social security numbers, although those security numbers were identified as "sub. numbers" and not "social security numbers."
[Evan] Ugh. Why would this information ever be allowed outside of (what would be assumed as) a secured or controlled office environment. It would take a complete idiot to not identify a xxx-xx-xxxx pattern of numbers as a Social Security number, even if you call it something different. Even a xxxxxxxxx number on a health insurance invoice would be pretty easy to identify.
The invoices did not include any personal medical information, addresses or dates of birth.
[Evan] No need. A potential identity thief already has enough information with what was disclosed.
We take the possibility of identity theft very seriously and, therefore, are sending this precautionary advisory.
The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
[Evan] It is a shared responsibility of the data owner (victim) and the data custodian (company) to "take steps to protect". The data custodian did not "take steps to protect" in this breach by adequately securing personal information.
Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.
We apologize for this situation and any inconvenience it may cause you.
We treat all sensitive employee information in a confidential manner and try to be proactive in the careful handling of such information.
[Evan] I am interested to know what the company's definition of "confidential manner" is. I think it probably differs from the definitions of many information security professionals.
We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
[Evan] The word "continue" in my mind implies that this was done prior to the breach. Do you think that this was the case? It should be.
Due to the details of the above crime, we do not believe your information will be misused as a result of this incident.
[Evan] How is the conclusion drawn? Why would the thief take the health insurance invoices? Maybe the company doesn't think that identity theft and fraud are profitable for a thief, or maybe the company thinks that identity theft doesn't really happen.
However, as a precaution, we are finalizing arrangements to provide you with credit monitoring services (at the company's cost) should you wish to use such a protective measure.
Any employee who wishes to use such a service can call the Holliston, MA office at 1- and talk with Sandy Crowe at Extension 5251 or Mark Danielson at Extension 5349 for assistance.
Again, we apologize for any inconvenience this incident may cause you or your family and we encourage you to take advantage of the resources we will provide to you to protect your personal information.
Commentary:
I am puzzled every time I read about people leaving confidential information at home, in a car, or in a public place on a mobile device such as a laptop without encryption (at a minimum). Ideally, we would all like confidential information to remain at the office, but sometimes this just isn't feasible for a business. Was the company never approached by anyone trying to sell them data encryption products? Did anyone at the company ever conduct any research into the risks involved? Did anyone at the company ever read one of the hundreds (or maybe thousands) of stories concerning stolen laptops with personal (or other confidential) information?
Nothing personal with Griffin, I am venting again.
Past Breaches:
Unknown
Date Reported:3/21/08
Organization:
Wayne J. Griffin Electric Inc.
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*The New Hampshire State Attorney General was notified of "approximately 55 New Hampshire residents"
Types of Data:
"employee names, social security numbers and dates of birth"
Breach Description:
"Please be advised that our company experienced a potential data breach that occurred when one of our Human Resources employees had their home broken into which involved a theft of personal items, along with a password protected company laptop computer and company health plan insurance invoices. The theft occurred over this past weekend."
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
This letter is to notify you that an employee in our Human Resources Department had personal items stolen from her home over the weekend, along with a password protected Company laptop computer, and Company health plan insurance invoices.
[Evan] Yeah, don't forget to mention "password protected", even though it likely provides little to no value of protection.
The Worcester, MA city police department was alerted the same day as the theft and an investigation is underway.
The laptop contained the names of certain employees, their social security numbers, and dates of birth.
[Evan] This information should NOT be on a laptop (or other mobile device) without additional controls. Although no control is perfect, clearly encryption would be a control that could have significantly reduced the risk of exposure.
The health insurance paper invoices listed employee names and social security numbers, although those security numbers were identified as "sub. numbers" and not "social security numbers."
[Evan] Ugh. Why would this information ever be allowed outside of (what would be assumed as) a secured or controlled office environment. It would take a complete idiot to not identify a xxx-xx-xxxx pattern of numbers as a Social Security number, even if you call it something different. Even a xxxxxxxxx number on a health insurance invoice would be pretty easy to identify.
The invoices did not include any personal medical information, addresses or dates of birth.
[Evan] No need. A potential identity thief already has enough information with what was disclosed.
We take the possibility of identity theft very seriously and, therefore, are sending this precautionary advisory.
The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
[Evan] It is a shared responsibility of the data owner (victim) and the data custodian (company) to "take steps to protect". The data custodian did not "take steps to protect" in this breach by adequately securing personal information.
Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.
We apologize for this situation and any inconvenience it may cause you.
We treat all sensitive employee information in a confidential manner and try to be proactive in the careful handling of such information.
[Evan] I am interested to know what the company's definition of "confidential manner" is. I think it probably differs from the definitions of many information security professionals.
We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
[Evan] The word "continue" in my mind implies that this was done prior to the breach. Do you think that this was the case? It should be.
Due to the details of the above crime, we do not believe your information will be misused as a result of this incident.
[Evan] How is the conclusion drawn? Why would the thief take the health insurance invoices? Maybe the company doesn't think that identity theft and fraud are profitable for a thief, or maybe the company thinks that identity theft doesn't really happen.
However, as a precaution, we are finalizing arrangements to provide you with credit monitoring services (at the company's cost) should you wish to use such a protective measure.
Any employee who wishes to use such a service can call the Holliston, MA office at 1- and talk with Sandy Crowe at Extension 5251 or Mark Danielson at Extension 5349 for assistance.
Again, we apologize for any inconvenience this incident may cause you or your family and we encourage you to take advantage of the resources we will provide to you to protect your personal information.
Commentary:
I am puzzled every time I read about people leaving confidential information at home, in a car, or in a public place on a mobile device such as a laptop without encryption (at a minimum). Ideally, we would all like confidential information to remain at the office, but sometimes this just isn't feasible for a business. Was the company never approached by anyone trying to sell them data encryption products? Did anyone at the company ever conduct any research into the risks involved? Did anyone at the company ever read one of the hundreds (or maybe thousands) of stories concerning stolen laptops with personal (or other confidential) information?
Nothing personal with Griffin, I am venting again.
Past Breaches:
Unknown
Posts Atom 1.0
Griffin Sucks! They don't care about the employees.
Reply to this
Kathy,
Can you give examples, maybe more information? Or is that it?
Reply to this
Kathy is right...an employee I worked with was fired when the big man found out the person was moving...nice, huh?
Reply to this
Sometimes a company requires their employees to work from home, which means they have to bring the laptop. It's basically their fault if they fail to provide proper encryption. And it's not the employee's fault that his house got broken into!
Reply to this