Two stolen Saks Incorporated laptops contained sensitive information
Technorati Tag: Security Breach
Date Reported:
4/30/08
Organization:
Saks Incorporated
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown*
*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire
Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.
Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.
Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!
Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops. Password-protected laptops are little more than nothing to stop someone for accessing the information.
We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.
Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical than network, website or database breaches.
The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.
Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.
Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.
Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-.
We deeply regret any inconvenience or concern that this matter may cause you.
Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated. I respect Mr. Sadove for addressing this situation in person (so to speak). It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.
Past Breaches:
Unknown
Date Reported:4/30/08
Organization:
Saks Incorporated
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown*
*According to the New Hampshire State Attorney General breach notification there were 163 persons affected who reside in the state of New Hampshire
Types of Data:
Name, address, Saks Fifth Avenue credit card account number, and/or Saks Fifth Avenue/MasterCard co-branded credit card account number.
Breach Description:
"In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
In mid-April 2008, Saks learned that four company laptops were stolen. Two of the stolen laptops contained several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth Avenue/MasterCard co-branded credit card account numbers.
Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data.
[Evan] Thank God for that!
Given the very limited type of personal information on these files and that it was stored on password-protected laptops, we believe there is a very low risk of identity theft or credit card fraud as a result of this event.
[Evan] I agree with the limited type of information argument, but could care less about password-protected laptops. Password-protected laptops are little more than nothing to stop someone for accessing the information.
We have no indication that this personal information has been accessed or misused, or even that the laptops are in the hands of someone seeking to misuse the information.
Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news).
[Evan] I think laptop thefts and losses are more typical than network, website or database breaches.
The company has drafted a written notice of the breach that it will be sending to the affected individuals imminently.
Saks takes its customers' privacy very seriously, and we have exercised utmost caution and diligence in our response following the discovery of the theft.
Within hours of learning of the theft, we initiated our own investigation into the incident and notified law enforcement.
Finally, if you have additional questions related to this situation, you can contact us between the hours of 9:00 a.m. ET through 6:00 p.m. ET on Monday though Saturday through our dedicated toll-free information helpline at 1-.
We deeply regret any inconvenience or concern that this matter may cause you.
Commentary:
The letter sent to the affected individuals is signed by Stephen I. Sadove, Chairman and Chief Executive Office of Saks Incorporated. I respect Mr. Sadove for addressing this situation in person (so to speak). It demonstrates his understanding that information security is a corporate issue for which he is ultimately responsible.
Past Breaches:
Unknown
Posts Atom 1.0
Hi, Evan.
An additional 2,391 customers in Maryland were also affected.
Reply to this
Thanks Dissent!
Excellent addition and another good resource at the State of Maryland.
-Evan
Reply to this