Siemens Healthcare Diagnostics employees at risk from stolen laptop
Technorati Tag: Security Breach
Date Reported:
4/3/08
Organization:
Siemens AG
Contractor/Consultant/Branch:
Siemens Healthcare Diagnostics Inc.
Victims:
Employees
Number Affected:
3,542
Types of Data:
"personal information, including names, birthdates and Social Security numbers"
Breach Description:
Siemens Healthcare Diagnostics Inc. states "Please be advised that a Company laptop was stolen from the home of one of our employees. We believe the laptop contained personal information, including names, birthdates and Social Security numbers, on approximately 3,542 individuals"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that a Company laptop was stolen from the home of one of our employees.
This letter is to notify you that one of our employees had a Company laptop computer, as well as some of the employee's personal items, stolen from the employee's home on March 26, 2008.
We believe the laptop contained personal information, including names, birthdates and Social Security numbers, on approximately 3,542 individuals
[Evan] Is the storage of confidential information on laptops and/or other mobile media without encryption go against Siemens policy? It probably should be.
The police were alerted to the theft and an investigation is underway.
We plan to begin notifying the affected individuals in the next several days.
we have and continue to take steps to protect the security of the personal information.
[Evan] This is a common and generic statement in breach notifications. What does it really mean? It's too subjective and open for interpretation. In the case of this breach it is obvious that the "steps to protect the security of personal information" were inadequate (assuming that controls such as encryption were absent). Was Siemens aware of the risk?
Also, in addition to continuing to monitor this situation, we are reexamining our current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches.
We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
we believe it is unlikely that the personal information on the laptop was accessed or downloaded by the person who committed the theft.
[Evan] Why? What leads a company to make such a statement? Is it evidence at the scene of the crime? Is it some type of security control that was in place?
Nonetheless, because we take the possibility of identity theft very seriously, we are sending this precautionary advisory.
The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.
We apologize for this situation and any inconvenience it may cause you.
We treat all sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
Please contact Sue Chalupnik at if you have any questions.
Commentary:
Throughout this posting I assume that the stolen laptop was not encrypted. If the laptop were encrypted then I would also assume that Siemens would have mentioned it. The State of New Hampshire does not have an encryption exemption for breach notification, so Siemens would have been required to report it either way.
This breach notification does not provide much insight into how Siemens secures confidential information with most of the language being very generic.
I'm taking bets. How many more companies will report lost or stolen mobile media (laptops, flash drives, CDs, etc.) storing sensitive information without encryption in 2008?
Past Breaches:
Unknown
Date Reported:4/3/08
Organization:
Siemens AG
Contractor/Consultant/Branch:
Siemens Healthcare Diagnostics Inc.
Victims:
Employees
Number Affected:
3,542
Types of Data:
"personal information, including names, birthdates and Social Security numbers"
Breach Description:
Siemens Healthcare Diagnostics Inc. states "Please be advised that a Company laptop was stolen from the home of one of our employees. We believe the laptop contained personal information, including names, birthdates and Social Security numbers, on approximately 3,542 individuals"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that a Company laptop was stolen from the home of one of our employees.
This letter is to notify you that one of our employees had a Company laptop computer, as well as some of the employee's personal items, stolen from the employee's home on March 26, 2008.
We believe the laptop contained personal information, including names, birthdates and Social Security numbers, on approximately 3,542 individuals
[Evan] Is the storage of confidential information on laptops and/or other mobile media without encryption go against Siemens policy? It probably should be.
The police were alerted to the theft and an investigation is underway.
We plan to begin notifying the affected individuals in the next several days.
we have and continue to take steps to protect the security of the personal information.
[Evan] This is a common and generic statement in breach notifications. What does it really mean? It's too subjective and open for interpretation. In the case of this breach it is obvious that the "steps to protect the security of personal information" were inadequate (assuming that controls such as encryption were absent). Was Siemens aware of the risk?
Also, in addition to continuing to monitor this situation, we are reexamining our current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches.
We continue to assess and modify our privacy and data security policies and procedures to prevent similar situations from occurring.
we believe it is unlikely that the personal information on the laptop was accessed or downloaded by the person who committed the theft.
[Evan] Why? What leads a company to make such a statement? Is it evidence at the scene of the crime? Is it some type of security control that was in place?
Nonetheless, because we take the possibility of identity theft very seriously, we are sending this precautionary advisory.
The purpose of this letter is to make you aware of this incident so that you can take steps to protect yourself, minimize the possibility of misuse of your information and mitigate any harm that could result.
Based on what we know to date, we are not aware of any specific cases of misuse of personal information obtained in connection with the incident.
We apologize for this situation and any inconvenience it may cause you.
We treat all sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
Please contact Sue Chalupnik at if you have any questions.
Commentary:
Throughout this posting I assume that the stolen laptop was not encrypted. If the laptop were encrypted then I would also assume that Siemens would have mentioned it. The State of New Hampshire does not have an encryption exemption for breach notification, so Siemens would have been required to report it either way.
This breach notification does not provide much insight into how Siemens secures confidential information with most of the language being very generic.
I'm taking bets. How many more companies will report lost or stolen mobile media (laptops, flash drives, CDs, etc.) storing sensitive information without encryption in 2008?
Past Breaches:
Unknown
Posts Atom 1.0
Comments