Former employee exposes Purdue Pharma personal information
Technorati Tag: Security Breach
Date Reported:
4/14/08 (delayed)
Organization:
Purdue Pharma L.P.
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
~5,000
Types of Data:
"names, dates of birth, Social Security numbers and other pension related information"
Breach Description:
"a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you about an incident affecting information maintained by Purdue Pharma L.P. ("Purdue Pharma")
Purdue Pharma is a privately held pharmaceutical company.
we recently learned that a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person.
[Evan] Attempted? What prevented the former employee from actually sending the information? It's not clear why the former employee wanted to send the information either.
We have determined that the disk contained information concerning approximately 5,000 individuals, and included names, dates of birth, Social Security numbers and other pension related information.
The former employee retained the disk when his employment ended, in direct violation of our policies and standard confidentiality agreement.
[Evan] This former employee may not have given a damn.
As soon as we learned of the unauthorized access, we promptly demanded that the information be deleted and returned to us.
The original disk has been returned and we believe that all copies of the information have been deleted.
[Evan] Once information confidentiality has been compromised it is very difficult (some would argue impossible) to restore it. How can you be certain that the information has been deleted?
We have undertaken a thorough investigation of this matter and, based on results of that investigation to date, we have no reason to believe that the personal information was misused.
[Evan] Actually, there is EVERY reason to believe that the personal information was misused! If the information was used in a manner that was not permitted by the owner (the victim), then it was misused. That’s my definition anyway.
We are continuing to investigate the incident and are examining the measures we can take to help prevent incidents of this kind from happening again.
Even though we believe that there is little risk of fraud or identity theft against the individuals as a result of this incident, we are providing the potentially affected individuals, at our cost, with the identity theft protection services in the attached notification letter, for two years.
[Evan] If there is "little risk of fraud", then why spend thousands of dollars in notification (because it’s the law, I suppose) and identity theft protection (not required by law)?
Purdue has contracted to provide a two year subscription to TrustedID's IDFreeze.
[Evan] The cost of IDFreeze is $8.25/mo. I am almost certain that Purdue isn't paying this full price and there is a good chance that not all affected persons will enroll, but for demonstration purposes only, $8.25/mo. x 5,000 subscriptions x 24 months = $990,000!
We deeply regret that this incident occurred and take very seriously our obligation to protect the privacy of personal information.
Commentary:
Employee and former employee information misuse is a very challenging issue for information security professionals. It's tough to comment because we don't have much detail about what controls are already in place.
Past Breaches:
Unknown
Date Reported:4/14/08 (delayed)
Organization:
Purdue Pharma L.P.
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
~5,000
Types of Data:
"names, dates of birth, Social Security numbers and other pension related information"
Breach Description:
"a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person"
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you about an incident affecting information maintained by Purdue Pharma L.P. ("Purdue Pharma")
Purdue Pharma is a privately held pharmaceutical company.
we recently learned that a former employee accessed a disk containing personal information about individuals employed by Purdue Pharma and its associated U.S. companies prior to December 31, 2003 and attempted to email some of the information on the disk to another person.
[Evan] Attempted? What prevented the former employee from actually sending the information? It's not clear why the former employee wanted to send the information either.
We have determined that the disk contained information concerning approximately 5,000 individuals, and included names, dates of birth, Social Security numbers and other pension related information.
The former employee retained the disk when his employment ended, in direct violation of our policies and standard confidentiality agreement.
[Evan] This former employee may not have given a damn.
As soon as we learned of the unauthorized access, we promptly demanded that the information be deleted and returned to us.
The original disk has been returned and we believe that all copies of the information have been deleted.
[Evan] Once information confidentiality has been compromised it is very difficult (some would argue impossible) to restore it. How can you be certain that the information has been deleted?
We have undertaken a thorough investigation of this matter and, based on results of that investigation to date, we have no reason to believe that the personal information was misused.
[Evan] Actually, there is EVERY reason to believe that the personal information was misused! If the information was used in a manner that was not permitted by the owner (the victim), then it was misused. That’s my definition anyway.
We are continuing to investigate the incident and are examining the measures we can take to help prevent incidents of this kind from happening again.
Even though we believe that there is little risk of fraud or identity theft against the individuals as a result of this incident, we are providing the potentially affected individuals, at our cost, with the identity theft protection services in the attached notification letter, for two years.
[Evan] If there is "little risk of fraud", then why spend thousands of dollars in notification (because it’s the law, I suppose) and identity theft protection (not required by law)?
Purdue has contracted to provide a two year subscription to TrustedID's IDFreeze.
[Evan] The cost of IDFreeze is $8.25/mo. I am almost certain that Purdue isn't paying this full price and there is a good chance that not all affected persons will enroll, but for demonstration purposes only, $8.25/mo. x 5,000 subscriptions x 24 months = $990,000!
We deeply regret that this incident occurred and take very seriously our obligation to protect the privacy of personal information.
Commentary:
Employee and former employee information misuse is a very challenging issue for information security professionals. It's tough to comment because we don't have much detail about what controls are already in place.
Past Breaches:
Unknown
Posts Atom 1.0
Comments