Laptop stolen from Sodexo employee's car
Technorati Tag: Security Breach
Date Reported:
5/9/08
Organization:
Sodexo
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*There are 919 Maryland residents reported by the company
Types of Data:
Names and Social Security numbers
Breach Description:
Sodexo recently reported a information security breach affecting company employees. A letter was sent reporting "the recent theft of a Sodexo-owned laptop computer that may have contained a file with personal employee information."
Reference URL:
The Maryland State Attorney General breach notification (pdf)
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
We are writing to inform you, pursuant to the provisions of Maryland Statutes Section 12-3504(h), of an incident involving possible unauthorized access to personal information relating to 919 employees of Sodexo who reside in Maryland.
[Evan] Sodexo employs 342,000 people worldwide. That a lot of people. This breach only affected a subset of employees, but imagine how big a problem there is if storing confidential information on an unencrypted laptop is an acceptable practice.
We are sending letters today to these employees to notify them of the theft of a Sodexo-owned laptop computer from the automobile of an employee of Sodexo in Montgomery County.
[Evan] An equation for you math types. Laptop + confidential information + automobile - encryption - employee presence = unacceptable risk of breach. It seems to be an equation that holds true more often than not.
This laptop may have contained an electronic file with the names and Social Security numbers of these employees.
[Evan] May have or may not have contained the sensitive file. I do give Sodexo credit for following the high road and disclosing the breach. This one seems like it would be pretty easy to "sweep under the rug."
The file did not contain date of birth, home address, or other personal identification or personal financial information.
The computer was password-protected.
[Evan] Big deal.
There is a risk, however, that a dedicated and computer savvy thief could circumvent this protection and gain access to files on the computer.
[Evan] It really doesn't take much dedication OR skill.
We have not uncovered any indication that the information was the target of the theft or that the information has been accessed or misused.
The incident was reported to the Montgomery County Policy Department and is under investigation.
We have not been able to confirm definitively that this file was on the laptop.
We are sending a separate letter today concerning this incident to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis
We are sorry that this has happened.
[Evan] I like the word "sorry" here. Most breach notifications use "regret" and "apologize", but sometimes I like the simple "sorry".
We take very seriously the information security of all of our employees, clients and customers.
We continually enhance and update our information protection and security protocols.
We are committed to ensuring that we have the procedures and processes in place to prevent this from happening again.
[Evan] I hope that Sodexo shares what procedures and processes they end up using. I can think of a few that might help.
We have established a toll free hot line, 1-, for you to contact with questions related to this incidence.
Commentary:
Here. I am going to take the exact same commentary section from the last breach I that I just wrote about.
"Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better."
Almost like a broken record. Sodexo did not mention if any of the circumstances that led to this breach were violations of corporate policy.
Past Breaches:
Unknown
Date Reported:5/9/08
Organization:
Sodexo
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*There are 919 Maryland residents reported by the company
Types of Data:
Names and Social Security numbers
Breach Description:
Sodexo recently reported a information security breach affecting company employees. A letter was sent reporting "the recent theft of a Sodexo-owned laptop computer that may have contained a file with personal employee information."
Reference URL:
The Maryland State Attorney General breach notification (pdf)
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
We are writing to inform you, pursuant to the provisions of Maryland Statutes Section 12-3504(h), of an incident involving possible unauthorized access to personal information relating to 919 employees of Sodexo who reside in Maryland.
[Evan] Sodexo employs 342,000 people worldwide. That a lot of people. This breach only affected a subset of employees, but imagine how big a problem there is if storing confidential information on an unencrypted laptop is an acceptable practice.
We are sending letters today to these employees to notify them of the theft of a Sodexo-owned laptop computer from the automobile of an employee of Sodexo in Montgomery County.
[Evan] An equation for you math types. Laptop + confidential information + automobile - encryption - employee presence = unacceptable risk of breach. It seems to be an equation that holds true more often than not.
This laptop may have contained an electronic file with the names and Social Security numbers of these employees.
[Evan] May have or may not have contained the sensitive file. I do give Sodexo credit for following the high road and disclosing the breach. This one seems like it would be pretty easy to "sweep under the rug."
The file did not contain date of birth, home address, or other personal identification or personal financial information.
The computer was password-protected.
[Evan] Big deal.
There is a risk, however, that a dedicated and computer savvy thief could circumvent this protection and gain access to files on the computer.
[Evan] It really doesn't take much dedication OR skill.
We have not uncovered any indication that the information was the target of the theft or that the information has been accessed or misused.
The incident was reported to the Montgomery County Policy Department and is under investigation.
We have not been able to confirm definitively that this file was on the laptop.
We are sending a separate letter today concerning this incident to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis
We are sorry that this has happened.
[Evan] I like the word "sorry" here. Most breach notifications use "regret" and "apologize", but sometimes I like the simple "sorry".
We take very seriously the information security of all of our employees, clients and customers.
We continually enhance and update our information protection and security protocols.
We are committed to ensuring that we have the procedures and processes in place to prevent this from happening again.
[Evan] I hope that Sodexo shares what procedures and processes they end up using. I can think of a few that might help.
We have established a toll free hot line, 1-, for you to contact with questions related to this incidence.
Commentary:
Here. I am going to take the exact same commentary section from the last breach I that I just wrote about.
"Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better."
Almost like a broken record. Sodexo did not mention if any of the circumstances that led to this breach were violations of corporate policy.
Past Breaches:
Unknown
Posts Atom 1.0
Makes me wonder about this on a different level....with the amount of laptops which are unencrypted and left in cars, isnt it likely for most employees to report it stolen, when in fact it wasnt? It does pose as an interesting option if someone is disgruntled with their company and wish to see the company name all over the web and newspapers reporting a data loss..
Reply to this
Excellent point and certainly conceivable.
Organizations should have something in their incident response procedures (assuming that have them) to deal with this scenario to some extent. As part of the incident response procedures implemented at the organizations that I consult with we use an incident response form. In the case of a laptop theft/loss, employees report the incident to the help desk. The help desk in turn completes the incident response checklist and form. One question on the form is "Has law enforcement been contacted? If yes, please provide: Police department, Date notified, Case number, Officer name
If an employee claims that his/her laptop is stolen, it is mandatory that THEY file a police report in the jurisdiction where the theft occurred. This deters employee theft to some extent.
I hear you though Mike. Issues of employee theft and fraud are tough nuts to crack.
Reply to this