Personal information stolen from State Street mystery vendor
Technorati Tag: Security Breach
Date Reported:
5/29/08
Organization:
State Street Corporation
Stock Symbol:
NYSE: STT
Contractor/Consultant/Branch:
Unnamed vendor hired "to provide legal support services"
Victims:
"employees and some customers of the former Investors Financial Services Corp. (“IBT”)"
Number Affected:
"more than 45,000"
Types of Data:
Names, addresses, dates of birth, and, in some cases, Social Security numbers.
Breach Description:
"State Street Corp. (STT) sent notices to employees and some customers of the former Investors Financial Services Corp. that computer equipment containing personal data was stolen from a vendor's facility."
Reference URL:
State Street Corporation News Release
The Boston Globe
Dow Jones Newswires via CNNMoney
Boston Business Journal
Reuters via CNBC
Report Credit:
State Street Corporation
Response:
From the online sources cited above:
State Street Corp. said yesterday that a disk drive containing personal details from 5,500 employees and 40,000 customer accounts was stolen
BOSTON, MAY 29, 2008 – State Street Corporation (NYSE: STT) today began sending precautionary notifications to employees and some customers of the former Investors Financial Services Corp. (“IBT”) that computer equipment containing certain personal data was stolen from a vendor’s facility.
[Evan] So this vendor relationship is probably governed by a vendor/third-party security policy and supporting documentation and processes, right?
IBT had engaged the vendor for legal support services.
the compromised information was among a batch of data sent to the analysis firm, which she declined to identify except to say it was in the United States. (A spokeswoman for State Street of Boston)
[Evan] Why decline to identify? If I were someone affected by this (thank God I am not), do you think that I should have the right to know? After all, am I not the owner of my personal information?
At the time of the transfer, the data were encrypted, making it much more difficult to misuse. But the firm had unencrypted the information for its work and stored it on the hard drive that was then stolen
[Evan] This is why data-at-rest encryption is as (or more) important that data-in-transit encryption. Both applications have their place in many information protection strategies.
Lost details included individuals' names, addresses, dates of birth, and, in some cases, Social Security numbers.
There is no evidence to date to suggest that the data has been misused or that legacy State Street customers or employees are impacted.
The theft was reported to federal authorities
the theft occurred in December and was reported to State Street in January
State Street didn't disclose the breach publicly or to individuals until yesterday because it took months to determine who was affected
[Evan] Yeah, like more than four months! Let's say that only one FTE was assigned to determining what data was on the stolen computer equipment. One FTE x 40 hours x 17 weeks (est.) = 680 hours.
As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers whose personal data was on the stolen computer equipment.
[Evan] I don't like the word "precaution" used in notification that is a "reaction".
This notification process is expected to be completed shortly.
State Street has developed a dedicated section of its website with more details for the legacy IBT customers and employees who will receive these precautionary notifications. This information can be found at www.statestreet.com/notification and includes detail about a number of credit monitoring services being made available by State Street at no cost for two years.
State Street said this was the first case of data theft in its history.
[Evan] State Street was founded in 1792, and this is the first case of data theft? If so, that's amazing!
Contact Information:
Customers:
Please contact your usual customer representative.
Media:
Please contact .
Employees:
Please contact GHR Customer Service at +1 .
Commentary:
Make sure that your information security program takes into account the information that is shared with vendors, partners, and other third-party providers. There are numerous approaches that can be employed and customized to an individual business or organization. Most effective information security programs govern the security of confidential information shared with third-parties through policy, contractual language, standards, and periodic assessments for compliance. If possible, get information security personnel involved very early on in the establishment of the relationship.
Past Breaches:
Unknown
Date Reported:5/29/08
Organization:
State Street Corporation
Stock Symbol:
NYSE: STT
Contractor/Consultant/Branch:
Unnamed vendor hired "to provide legal support services"
Victims:
"employees and some customers of the former Investors Financial Services Corp. (“IBT”)"
Number Affected:
"more than 45,000"
Types of Data:
Names, addresses, dates of birth, and, in some cases, Social Security numbers.
Breach Description:
"State Street Corp. (STT) sent notices to employees and some customers of the former Investors Financial Services Corp. that computer equipment containing personal data was stolen from a vendor's facility."
Reference URL:
State Street Corporation News Release
The Boston Globe
Dow Jones Newswires via CNNMoney
Boston Business Journal
Reuters via CNBC
Report Credit:
State Street Corporation
Response:
From the online sources cited above:
State Street Corp. said yesterday that a disk drive containing personal details from 5,500 employees and 40,000 customer accounts was stolen
BOSTON, MAY 29, 2008 – State Street Corporation (NYSE: STT) today began sending precautionary notifications to employees and some customers of the former Investors Financial Services Corp. (“IBT”) that computer equipment containing certain personal data was stolen from a vendor’s facility.
[Evan] So this vendor relationship is probably governed by a vendor/third-party security policy and supporting documentation and processes, right?
IBT had engaged the vendor for legal support services.
the compromised information was among a batch of data sent to the analysis firm, which she declined to identify except to say it was in the United States. (A spokeswoman for State Street of Boston)
[Evan] Why decline to identify? If I were someone affected by this (thank God I am not), do you think that I should have the right to know? After all, am I not the owner of my personal information?
At the time of the transfer, the data were encrypted, making it much more difficult to misuse. But the firm had unencrypted the information for its work and stored it on the hard drive that was then stolen
[Evan] This is why data-at-rest encryption is as (or more) important that data-in-transit encryption. Both applications have their place in many information protection strategies.
Lost details included individuals' names, addresses, dates of birth, and, in some cases, Social Security numbers.
There is no evidence to date to suggest that the data has been misused or that legacy State Street customers or employees are impacted.
The theft was reported to federal authorities
the theft occurred in December and was reported to State Street in January
State Street didn't disclose the breach publicly or to individuals until yesterday because it took months to determine who was affected
[Evan] Yeah, like more than four months! Let's say that only one FTE was assigned to determining what data was on the stolen computer equipment. One FTE x 40 hours x 17 weeks (est.) = 680 hours.
As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers whose personal data was on the stolen computer equipment.
[Evan] I don't like the word "precaution" used in notification that is a "reaction".
This notification process is expected to be completed shortly.
State Street has developed a dedicated section of its website with more details for the legacy IBT customers and employees who will receive these precautionary notifications. This information can be found at www.statestreet.com/notification and includes detail about a number of credit monitoring services being made available by State Street at no cost for two years.
State Street said this was the first case of data theft in its history.
[Evan] State Street was founded in 1792, and this is the first case of data theft? If so, that's amazing!
Contact Information:
Customers:
Please contact your usual customer representative.
Media:
Please contact .
Employees:
Please contact GHR Customer Service at +1 .
Commentary:
Make sure that your information security program takes into account the information that is shared with vendors, partners, and other third-party providers. There are numerous approaches that can be employed and customized to an individual business or organization. Most effective information security programs govern the security of confidential information shared with third-parties through policy, contractual language, standards, and periodic assessments for compliance. If possible, get information security personnel involved very early on in the establishment of the relationship.
Past Breaches:
Unknown
Posts Atom 1.0
Comments