Stolen USinternetworking laptop also affects XL employees
Technorati Tag: Security Breach
Date Reported:
4/16/08 (this incident is also the cause of "Stolen USinternetworking laptop affects hundreds of SPX employees")
Organization:
XL Global Services, Inc.
Contractor/Consultant/Branch:
USinternetworking, Inc.*
*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.
Victims:
Employees
Number Affected:
Unknown
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
"A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi"). The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to inform you about a security breach.
A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi").
The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")
This information included names, addresses, and Social Security numbers of employees
[Evan] Why this information is permitted to be stored on a laptop computer is anyone's guess. Allowing this information to be stored on a laptop computer alongside another client's information (see "Stolen USinternetworking laptop affects hundreds of SPX employees") and without encryption (we are assuming that there is none because none was mentioned) is shoddy. Our vendors are not allowed to co-mingle our data with that belonging to another company. Our vendors are not permitted to store "confidential" information without employing encryption. Our vendors are audited for compliance no less than semi-annually.
USi also informed us that the laptop itself was password protected and the two files containing the personal identifying information of Company employees would not be immediately evident.
[Evan] So? Password protection (probably OS-level) and security through obscurity are both ineffective.
At our request, USi immediately reported the theft to local law enforcement in Columbus, Ohio to investigate the matter.
the investigation has not yet been successful.
Although we have no evidence that this information has been improperly accessed or misused, we want to make you aware of the incident and the steps that have been taken to prevent a reoccurrence.
[Evan] I found nothing in the breach notification that reflects what the companies plan to do or have done to "prevent a reoccurrence".
We have sent multiple e-mail notifications to the affected employees to notify them of the breach and the status.
The notices describe, among other things:
(1) the general nature of the incident resulting in the potential information security breach,
(2) the type of personal information that was the subject of the possible security breach,
(3) the precautionary measures USi is taking (at XL's request) to help protect personal information from unauthorized use,
(4) contact information for inquiries, and
(5) how to enroll in Kroll's identity theft restoration and continuous credit monitoring services, which are being made available by USi (at XL's request) to affected individuals free of charge for two years.
XL takes privacy and security matters very seriously.
If you have questions or feel you may have an identity theft issue, please call ID TheftSmart member services at 1- between 8:00 am and 5:00 pm (Central Time), Monday through Friday.
On behalf of USi and the Company, we sincerely regret this incident.
Commentary:
These are the types of breaches that always get under my skin. I don't get it. These are two respectable companies. I understand that *&^% happens, but people can prevent this *&^%!
On a side note, does anyone know if Thomas Dunbar still runs information security at XL? He is the 2006 SC Magazine CSO of the Year.
Past Breaches:
Unknown
Date Reported:4/16/08 (this incident is also the cause of "Stolen USinternetworking laptop affects hundreds of SPX employees")
Organization:
XL Global Services, Inc.
Contractor/Consultant/Branch:
USinternetworking, Inc.*
*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.
Victims:
Employees
Number Affected:
Unknown
Types of Data:
Names, addresses, and Social Security numbers
Breach Description:
"A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi"). The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to inform you about a security breach.
A personal computer was recently stolen from an employee of one of our vendors, USinternetworking, Inc. of Annapolis, Maryland ("USi").
The personal computer contained the personal information of employees of XL Global Services, Inc. or its affiliates ("XL")
This information included names, addresses, and Social Security numbers of employees
[Evan] Why this information is permitted to be stored on a laptop computer is anyone's guess. Allowing this information to be stored on a laptop computer alongside another client's information (see "Stolen USinternetworking laptop affects hundreds of SPX employees") and without encryption (we are assuming that there is none because none was mentioned) is shoddy. Our vendors are not allowed to co-mingle our data with that belonging to another company. Our vendors are not permitted to store "confidential" information without employing encryption. Our vendors are audited for compliance no less than semi-annually.
USi also informed us that the laptop itself was password protected and the two files containing the personal identifying information of Company employees would not be immediately evident.
[Evan] So? Password protection (probably OS-level) and security through obscurity are both ineffective.
At our request, USi immediately reported the theft to local law enforcement in Columbus, Ohio to investigate the matter.
the investigation has not yet been successful.
Although we have no evidence that this information has been improperly accessed or misused, we want to make you aware of the incident and the steps that have been taken to prevent a reoccurrence.
[Evan] I found nothing in the breach notification that reflects what the companies plan to do or have done to "prevent a reoccurrence".
We have sent multiple e-mail notifications to the affected employees to notify them of the breach and the status.
The notices describe, among other things:
(1) the general nature of the incident resulting in the potential information security breach,
(2) the type of personal information that was the subject of the possible security breach,
(3) the precautionary measures USi is taking (at XL's request) to help protect personal information from unauthorized use,
(4) contact information for inquiries, and
(5) how to enroll in Kroll's identity theft restoration and continuous credit monitoring services, which are being made available by USi (at XL's request) to affected individuals free of charge for two years.
XL takes privacy and security matters very seriously.
If you have questions or feel you may have an identity theft issue, please call ID TheftSmart member services at 1- between 8:00 am and 5:00 pm (Central Time), Monday through Friday.
On behalf of USi and the Company, we sincerely regret this incident.
Commentary:
These are the types of breaches that always get under my skin. I don't get it. These are two respectable companies. I understand that *&^% happens, but people can prevent this *&^%!
On a side note, does anyone know if Thomas Dunbar still runs information security at XL? He is the 2006 SC Magazine CSO of the Year.
Past Breaches:
Unknown
Posted by Evan Francen at 4/24/2008 2:59 PM 
Categories: USinternetworking Inc., Stolen Laptop, XL Global Services
Categories: USinternetworking Inc., Stolen Laptop, XL Global Services
Posts Atom 1.0
Comments