AT&T management information on stolen laptop
Technorati Tag: Security Breach
Date Reported:
6/4/08
Organization:
AT&T
Contractor/Consultant/Branch:
None
Victims:
AT&T management personnel
Number Affected:
Unknown
Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.
Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."
Reference URL:
PogoWasRight
SC Magazine
NetworkWorld
Report Credit:
PogoWasRight
Response:
From the online sources cited above:
An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?
Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.
This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information
The laptop was stolen May 15 from the car of an employee
The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.
No customer or client data were on the stolen laptop.
the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.
AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."
"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.
The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.
"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.
AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.
We deeply regret this incident.
You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.
The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.
AT&T is offering free credit monitoring to those affected
Victim Reaction:
"I'm very disappointed in my company,"
"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."
"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"
"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."
Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.
The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).
Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected
Date Reported:6/4/08
Organization:
AT&T
Contractor/Consultant/Branch:
None
Victims:
AT&T management personnel
Number Affected:
Unknown
Types of Data:
Compensation information, including employee names, Social Security numbers, and salary and bonus information.
Breach Description:
"An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop."
Reference URL:
PogoWasRight
SC Magazine
NetworkWorld
Report Credit:
PogoWasRight
Response:
From the online sources cited above:
An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.
[Evan] Don't you think that a well known (and respected) company like AT&T would have had the forethought to encrypt laptops?
Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources.
This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information
The laptop was stolen May 15 from the car of an employee
The data on the computer was not encrypted -- a violation of company policy -- and included names, Social Security numbers and in some cases, salary and bonus information.
No customer or client data were on the stolen laptop.
the company would not disclose the number of affected individuals, but there is no reason to believe any of the data was being targeted when the machine was stolen.
AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."
"Usually these are property crimes in which the drive is wiped clean and resold for profit,"
[Evan] This used to be the case, but do you think the same still holds true today? If a thief is going to go through the trouble of wiping the drive, it seems plausible that he/she may also attempt to access/review the information contained on it. Hardware value = ~$1000, Information value = ~$10, $20, $50+ per record. Do the math and it soon becomes apparent that a thief can profit much more by selling the information. I presume that some thieves know this.
The employee who was in possession of the laptop when it was stolen has been disciplined.
[Evan] Was it the employee's responsibility to encrypt the information, or was it his/her responsibility to not store confidential information on it? If the employee was aware of his/her responsibilities, then I can understand the disciplinary action. If not, then AT&T has much bigger problems.
"There are a number of rules governing the handling of encrypted material and the mobile devices handling that material that employees must follow," Sharp said. "It is up to the employee to ensure that any sensitive material is encrypted."
[Evan] Really? It is "up to the employee" to ensure that sensitive material is encrypted? Most of the users I work with wouldn't know the first thing about how to encrypt information. This is why we usually implement policies, standards and procedures to encrypt the entire contents of hard drives as part of the standard laptop build. Encryption is then semi-transparent and we don't need to worry about an incident such as this. Take information security out of the hands of employees if feasible.
AT&T used the breach as a reminder that employees must follow policies.
[Evan] Hopefully this isn't the only time employees are reminded to follow policies.
We deeply regret this incident.
You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future.
The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.
[Evan] Sheesh, hundreds if not thousands of breaches involving lost and/or stolen laptops affecting millions of people and now AT&T is "in the process of encrypting devices"? To AT&T's credit, they do employ thousands of mobile devices which take time to encrypt and it's better late than never. Explain this to the people affected.
AT&T is offering free credit monitoring to those affected
Victim Reaction:
"I'm very disappointed in my company,"
"Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."
"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information,"
"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."
Commentary:
Excellent work at PogoWasRight.org. Their report contains copies of the actual AT&T correspondence. Obviously, AT&T should have known better.
The Breach Blog was notified via a comment from the wife of an affected employee on May 28th, but we did not have enough information to report. The comment was not approved by me either because the commenter used her real name (out of protection for her and her husband).
Past Breaches:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected
Posts Atom 1.0
This blog is related to Laptop Computer Reviews that one must keep the computer safe and protect from theft because in it useful information is saved. I recommend that one must protect themselves from others and must be alert all the time.
Reply to this
There is no excuse with current encryption software, for this to be happening. I think someone will have to be sued into oblivion before they decide to start shelling out some $ for IT to deploy encrypted ONLY laptops. It's really not that complicated. Compusec is even free for God's Sake!
Does it take a CEO's personal information to be disseminated to get someone's attention!?
Reply to this
Get Sued:
You can sue, but unfortunately, you likely won't prevail unless you can demonstrate actual harm. The courts have not allowed people to successfully sue for time, worry, etc.
In this case, AT&T admits that their employee did not follow their security procedures which did call for encryption. I don't know that a company will ever totally foolproof their security against idiotic acts or neglect by employees -- unless they totally switch over to not having any data on remote or mobile devices. Even data destruction software is not a great solution as some thefts may not be detected promptly.
Even if they do eliminate storing data on mobile devices, that's no guarantee, either. We've already seen dumb moves like an employee logging in to a server from a hotel room and then forgetting to log out.
But yes, some breaches are particularly irritating because they're just so darned avoidable.
Reply to this