Stolen USinternetworking laptop affects hundreds of SPX employees
Technorati Tag: Security Breach
Date Reported:
4/15/08
Organization:
SPX Corporation
Contractor/Consultant/Branch:
USinternetworking, Inc.*
*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.
Victims:
SPX employees from the APV acquisition
Number Affected:
403
Types of Data:
Names, Social Security numbers, and banking information
Breach Description:
"Please be advised that on March 25, 2008, we received notice from one of our vendors, USintemetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals" "We later received word from USi that an additional 74 individuals were affected by this incident"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that on March 25, 2008, we received notice from one of our vendors, USinternetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals
We later received word from USi that an additional 74 individuals were affected by this incident
USi provides payroll processing and data management services for SPX companies, and has been a trusted partner for many years.
[Evan] What kind of "service" is unnecessarily exposing confidential information? I can only imagine how many confidential records USI collects, creates, stores, and transfers for their clients. USI is a large company with the resources to know better than to store confidential information on a poorly secured laptop (assuming little more than password protection).
Upon learning of this incident, in an effort to notify affected individuals as soon as possible, we forwarded a copy of the USi's March 25, 2008, communication to each of the affected individuals.
we have and continue to take steps to protect the security of the personal information.
Also, in addition to continuing to monitor this situation, we are reexamining our current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches
[Evan] One improvement that I can suggest is to mandate baseline information security controls through policy and contractual language. SPX should also audit vendors for information security compliance on a regular basis.
USi has reported the theft to law enforcement authorities and we believe the theft was a random act, based on the fact that other items, including a television set, were stolen from the home.
[Evan] Statements like this have become common in breach notifications. If this were the case, then why do we read headlines like "The FTC estimates that as many as 9 million Americans have their identities stolen each year."
The laptop was password protected and we have no evidence that your employees' personal information has been, or will be, used for unauthorized purposes.
[Evan] Organizations should almost not even mention "password protected" anymore. It almost insults peoples' intelligence.
However, as a precaution, we are notifying you that the possibility exists that this information could be used to open or access your employees' credit or bank accounts.
Furthermore, USi is going to offer to your affected employees, free of charge, one year of credit monitoring and identity-theft protection
USi deeply regrets this incident and apologizes for any inconvenience this may have caused you or your employees.
USi is taking steps to enhance the protection of the information you have entrusted to us to avoid future such incidents.
[Evan] Like what? This statement means nothing to me.
SPX has established a help line you can access at with questions or concerns.
We take this very seriously and we apologize for any inconvenience this incident may cause.
We treat all sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] Based on what I have read and assumptions where there were gaps, this statement is simply not true.
Commentary:
Again, assuming that the laptop was not encrypted. USi clearly did not take adequate steps to reduce the risk of exposure to a generally acceptable level. There was no mention of encryption or what USi's policies are in regards to storing confidential information on mobile devices. Readers only get "USi is taking steps to enhance protection" blah blah blah. Frustrating.
Past Breaches:
Unknown
Date Reported:4/15/08
Organization:
SPX Corporation
Contractor/Consultant/Branch:
USinternetworking, Inc.*
*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.
Victims:
SPX employees from the APV acquisition
Number Affected:
403
Types of Data:
Names, Social Security numbers, and banking information
Breach Description:
"Please be advised that on March 25, 2008, we received notice from one of our vendors, USintemetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals" "We later received word from USi that an additional 74 individuals were affected by this incident"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Please be advised that on March 25, 2008, we received notice from one of our vendors, USinternetworking, Inc. (USi), that a USi laptop was stolen from the home of one of its employees. USi originally informed us that the laptop included personal identifying information, including names, Social Security numbers, and banking information, on approximately 329 individuals
We later received word from USi that an additional 74 individuals were affected by this incident
USi provides payroll processing and data management services for SPX companies, and has been a trusted partner for many years.
[Evan] What kind of "service" is unnecessarily exposing confidential information? I can only imagine how many confidential records USI collects, creates, stores, and transfers for their clients. USI is a large company with the resources to know better than to store confidential information on a poorly secured laptop (assuming little more than password protection).
Upon learning of this incident, in an effort to notify affected individuals as soon as possible, we forwarded a copy of the USi's March 25, 2008, communication to each of the affected individuals.
we have and continue to take steps to protect the security of the personal information.
Also, in addition to continuing to monitor this situation, we are reexamining our current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches
[Evan] One improvement that I can suggest is to mandate baseline information security controls through policy and contractual language. SPX should also audit vendors for information security compliance on a regular basis.
USi has reported the theft to law enforcement authorities and we believe the theft was a random act, based on the fact that other items, including a television set, were stolen from the home.
[Evan] Statements like this have become common in breach notifications. If this were the case, then why do we read headlines like "The FTC estimates that as many as 9 million Americans have their identities stolen each year."
The laptop was password protected and we have no evidence that your employees' personal information has been, or will be, used for unauthorized purposes.
[Evan] Organizations should almost not even mention "password protected" anymore. It almost insults peoples' intelligence.
However, as a precaution, we are notifying you that the possibility exists that this information could be used to open or access your employees' credit or bank accounts.
Furthermore, USi is going to offer to your affected employees, free of charge, one year of credit monitoring and identity-theft protection
USi deeply regrets this incident and apologizes for any inconvenience this may have caused you or your employees.
USi is taking steps to enhance the protection of the information you have entrusted to us to avoid future such incidents.
[Evan] Like what? This statement means nothing to me.
SPX has established a help line you can access at with questions or concerns.
We take this very seriously and we apologize for any inconvenience this incident may cause.
We treat all sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] Based on what I have read and assumptions where there were gaps, this statement is simply not true.
Commentary:
Again, assuming that the laptop was not encrypted. USi clearly did not take adequate steps to reduce the risk of exposure to a generally acceptable level. There was no mention of encryption or what USi's policies are in regards to storing confidential information on mobile devices. Readers only get "USi is taking steps to enhance protection" blah blah blah. Frustrating.
Past Breaches:
Unknown
Posted by Evan Francen at 4/22/2008 8:50 PM 
Categories: USinternetworking Inc., Stolen Laptop, SPX Corporation
Categories: USinternetworking Inc., Stolen Laptop, SPX Corporation
Posts Atom 1.0
Comments