Axcess Financial reports stolen laptop to New Hampshire AG
Technorati Tag: Security Breach
Date Reported:
5/13/08
Organization:
Axcess Financial Services, Inc.*
*Axcess Financial Services, Inc. appears to be affiliated or another name for CNG Financial Corp. aka Check 'n Go.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown**
**Axcess informed the New Hampshire State Attorney General of 142 residents affected in her state.
Types of Data:
"personal information (such as name, address, and social security number)"
Breach Description:
Axcess Financial Services, Inc. has notified the New Hampshire State Attorney General of a breach involving a stolen employee laptop that contained personal information belonging to customers.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The purpose of this letter is to inform the New Hampshire Department of Justice that a security breach occurred in connection with a crime involving an employee's stolen computer.
Although information contained within the stolen computer is unlikely to have resulted in unauthorized access due to the password protection and other security measures, we are notifying your office because information contained therein may have included data with some of your residents' personal information (such as name, address, or social security number).
[Evan] Password protection provides very little assurance that the information won't be accessed. What are the "other security measures"?
This crime occurred on or about October 23, 2007, and we filed a police report with state law enforcement officials.
[Evan] October 23, 2007?!
Following the discovery of this crime, an extensive forensic investigation was required to determine the information contained within the stolen property.
There has been no indication that any misuse of this information has occurred in connection with the breach described above.
[Evan] A breach notification almost wouldn't be a breach notification without this statement (or similar).
Notification to the 142 affected New Hampshire residents was mailed in the form of a letter on or about May 13, 2008
[Evan] This is 6 months and 20 days (or 203 days) after the incident occurred! Why the delay? Do you suppose that a "forensic investigation" of the information that may have been on the laptop took this long? Ugh. Maybe the police asked them to wait. Either way, this amount of time seems extraordinarily long.
Axcess Financial fully intends to cooperate with law enforcement in this ongoing criminal investigation and to assist customers with concerns relating to this unfortunate event.
Notification to customers:
We are writing to advise you of a petty crime involving an employee's stolen belongings on October 23, 2007, which happened to include a secure computer that may have contained data with some of your personal information (such as name, address, or social security number).
[Evan] Really? A "petty crime"? Petty as in "of little or no importance or consequence"? This seems like a very poor choice of words, in my opinion. Affected customers may beg to differ.
It is highly unlikely any information has been breached because of password protection security measures.
[Evan] Come on! Password protection (OS-level) in and of itself certainly does not make a breach "highly unlikely".
There are no reported incidences of any issues.
While we are still awaiting the outcome of the police investigation, we are being proactive out of abundance of caution.
[Evan] A display of proactive abundance of caution would be to encrypt laptops and apply tight controls around what information is allowed to be stored on them (among other things).
Because there is a possibility that your personal information could have been subject to unauthorized disclosure, we have arranged to provide you - at our expense - 12 months of a credit monitoring service.
[Evan] How nice.
For any questions, please call 1-
Commentary:
In my opinion, this is one of the worst breach notifications that I have read in some time (if ever). The notification is full of statements meant to minimize importance and risk. There isn't even an apology to customers. Personally, I am glad to not be a customer with personal information under the custodial care of this company.
Disclaimer:
Due to the fact that I was a little harsher in my comments regarding this breach and in my opinion rightly so, I should state that my comments are my opinions. I am limited in the amount of information I have about this breach, so many of my opinions are based on what I read and my own experience. Axcess Financial has much more information surrounding this breach, and as instructed in the notification letter call them with questions.
Past Breaches:
Unknown
Date Reported:5/13/08
Organization:
Axcess Financial Services, Inc.*
*Axcess Financial Services, Inc. appears to be affiliated or another name for CNG Financial Corp. aka Check 'n Go.
Contractor/Consultant/Branch:
None
Victims:
Customers
Number Affected:
Unknown**
**Axcess informed the New Hampshire State Attorney General of 142 residents affected in her state.
Types of Data:
"personal information (such as name, address, and social security number)"
Breach Description:
Axcess Financial Services, Inc. has notified the New Hampshire State Attorney General of a breach involving a stolen employee laptop that contained personal information belonging to customers.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The purpose of this letter is to inform the New Hampshire Department of Justice that a security breach occurred in connection with a crime involving an employee's stolen computer.
Although information contained within the stolen computer is unlikely to have resulted in unauthorized access due to the password protection and other security measures, we are notifying your office because information contained therein may have included data with some of your residents' personal information (such as name, address, or social security number).
[Evan] Password protection provides very little assurance that the information won't be accessed. What are the "other security measures"?
This crime occurred on or about October 23, 2007, and we filed a police report with state law enforcement officials.
[Evan] October 23, 2007?!
Following the discovery of this crime, an extensive forensic investigation was required to determine the information contained within the stolen property.
There has been no indication that any misuse of this information has occurred in connection with the breach described above.
[Evan] A breach notification almost wouldn't be a breach notification without this statement (or similar).
Notification to the 142 affected New Hampshire residents was mailed in the form of a letter on or about May 13, 2008
[Evan] This is 6 months and 20 days (or 203 days) after the incident occurred! Why the delay? Do you suppose that a "forensic investigation" of the information that may have been on the laptop took this long? Ugh. Maybe the police asked them to wait. Either way, this amount of time seems extraordinarily long.
Axcess Financial fully intends to cooperate with law enforcement in this ongoing criminal investigation and to assist customers with concerns relating to this unfortunate event.
Notification to customers:
We are writing to advise you of a petty crime involving an employee's stolen belongings on October 23, 2007, which happened to include a secure computer that may have contained data with some of your personal information (such as name, address, or social security number).
[Evan] Really? A "petty crime"? Petty as in "of little or no importance or consequence"? This seems like a very poor choice of words, in my opinion. Affected customers may beg to differ.
It is highly unlikely any information has been breached because of password protection security measures.
[Evan] Come on! Password protection (OS-level) in and of itself certainly does not make a breach "highly unlikely".
There are no reported incidences of any issues.
While we are still awaiting the outcome of the police investigation, we are being proactive out of abundance of caution.
[Evan] A display of proactive abundance of caution would be to encrypt laptops and apply tight controls around what information is allowed to be stored on them (among other things).
Because there is a possibility that your personal information could have been subject to unauthorized disclosure, we have arranged to provide you - at our expense - 12 months of a credit monitoring service.
[Evan] How nice.
For any questions, please call 1-
Commentary:
In my opinion, this is one of the worst breach notifications that I have read in some time (if ever). The notification is full of statements meant to minimize importance and risk. There isn't even an apology to customers. Personally, I am glad to not be a customer with personal information under the custodial care of this company.
Disclaimer:
Due to the fact that I was a little harsher in my comments regarding this breach and in my opinion rightly so, I should state that my comments are my opinions. I am limited in the amount of information I have about this breach, so many of my opinions are based on what I read and my own experience. Axcess Financial has much more information surrounding this breach, and as instructed in the notification letter call them with questions.
Past Breaches:
Unknown
Posts Atom 1.0
Hi Evan,
I had asked Axcess some of the very questions you posed in your analysis. Their answers seemed less than totally helpful and I have yet to hear back from them re a very specific question as to whether law enforcement ever asked them to delay notification or if that was Axcess's own decision. See here.
Reply to this
Hey Dissent,
Nice to see here again! Also nice to see that you and I are on the same page in re: this breach (most breaches really). PogoWasRight is a daily read for me. Great work.
-Evan
Reply to this
I'm a PA resident. I received a similar letter. Mine didn't say when the theft occurred, however, I did receive the letter in May as did the New Hampshire residents. They also offered me the 12 months of credit monitoring. As far as I know, PA doesn't require companies to inform anybody about data breaches, but I don't even know what kind of data they would have on me! If you'd like a copy of the letter, I'd be happy to scan it and email it. I d
Reply to this
Rob,
Does the letter you received differ much from the letter sent to the New Hampshire AG (link in the post)? If so, I would love to take a look (and share with your approval) yours.
Thanks,
Evan
Reply to this