Laptop stolen from R.E. Moulton may affect 19,000
Technorati Tag: Security Breach
Date Reported:
5/23/08
Organization:
OneAmerica
Contractor/Consultant/Branch:
R.E. Moulton, Inc.
Victims:
Customers
Number Affected:
~19,000
Types of Data:
"names in combination with social security numbers"
Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.
We are writing to inform you of an incident involving the possible disclosure of personal information.
Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.
A police report was filed and the police are actively investigating this crime.
Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.
Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.
At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.
Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.
Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.
Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.
Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.
While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.
Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.
In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.
We sincerely apologize for any inconvenience or worry this may have caused you.
We encourage you to contact the company at with any questions or concerns.
From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?
Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?
I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.
I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.
Past Breaches:
Unknown
Date Reported:5/23/08
Organization:
OneAmerica
Contractor/Consultant/Branch:
R.E. Moulton, Inc.
Victims:
Customers
Number Affected:
~19,000
Types of Data:
"names in combination with social security numbers"
Breach Description:
A laptop computer containing sensitive personal information belonging to approximately 19,000 individuals was stolen from the Irving, Texas offices of R.E. Moulton on or around March 7th, 2008.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
R.E. Moulton is a leader in the medical stop-loss insurance industry and the stop-loss insurance products administered by it are available nation-wide.
[Evan] The notification to the New Hampshire State Attorney General starts with this sentence. It's nice if you can add a little marketing to your breach notification.
We are writing to inform you of an incident involving the possible disclosure of personal information.
Specifically, on or around March 7, 2008, thieves broke into our Irving, Texas regional office and stole a laptop computer containing personally identifiable information of numerous individuals, including names in combination with social security numbers.
[Evan] We don't know much about the physical security controls protecting the office and laptop, but we do have a clue. The fact that R.E. Moulton states "on or around March 7" leads me to believe that the physical controls were not sophisticated enough to detect the theft when it occurred. The practice or storing confidential information on a laptop is not a good idea in most cases and there is also no mention of encryption, so I assume it was not used. Bad, bad, and bad.
A police report was filed and the police are actively investigating this crime.
Personal information was on the stolen laptop because R.E. Moulton receives requests to provide quotes for stop-loss insurance coverage.
[Evan] In my opinion, this may be justification for collecting personal information, but certainly not a justification for storing it on a laptop.
Approximately 19,000 individuals were affected, although there may be duplicates on our master list; this means that the list of affected individuals may be smaller.
At this time. we are unable to determine the number of New Hampshire residents, if any, who will be notified of this incident because the information maintained on the laptop did not include addresses, but we will provide a list at a later date if we find that New Hampshire residents were affected.
Letters will be sent to these individuals as soon as we receive their addresses from their employers or the third parties who arranged for the insurance quotes.
[Evan] It seems to me that the "employers or the third parties" have a significant role in this breach also. I wonder if information security personnel at the "employers or the third parties" were aware and approved of the sharing of personal information with R.E. Moulton. If they were, then I wonder if they followed good protocol and evaluated the information security practices of R.E. Moulton.
Those employers and third parties were notified of this incident during the week of May 5, 2008 and are currently collecting the needed addresses.
[Evan] Employers and third parties were notified almost 2 months after the theft.
Depending on the length of time needed to collect addresses, we hope to start sending letters to the affected individuals in June.
[Evan] Add the amount of time referred to in this sentence to the ~2 months that have already passed and then add this to the time to address letters and you get a long time before victims are notified. I presume some victims will never be notified.
Please know that we have taken this incident very seriously.
[Evan] Action speaks louder than words.
While we do not anticipate that any of the information will be used for unauthorized or malicious purposes, to help those whose information was involved, we have engaged ConsumerInfo.com, Inc., an Experian company, to provide those individuals with one year of credit monitoring at no cost to them.
Please note that we are committed to protecting our customer and that we are constantly improving our processes to avoid any further reoccurrences.
In addition, appropriate steps have been take to prevent future disclosures of this information.
[Evan] What steps have been taken? It seems to me that data owners deserve more detail and explanation.
We sincerely apologize for any inconvenience or worry this may have caused you.
We encourage you to contact the company at with any questions or concerns.
From the FAQs:
Q. What is being done by R.E. Moulton to prevent a similar incident from occurring?
A. R.E. Moulton had procedures in place to protect customer information and is constantly reviewing those procedures in light of developments in information security and the evolution of criminal activity.
[Evan] What do you think of this answer?
Commentary:
I get especially frustrated by breaches that involve confidential information on a stolen laptop. Stolen laptops are one of, if not the most common types of breaches that we read about, yet the frequency of reports does not seem to be subsiding. Can an organization claim that they didn't know any better? At what point does risky information security behavior become negligent?
I suspect that most victims don't even know that R.E. Moulton had their personal information. This make the breach a little more troubling.
I accept mistakes because we all make them. I also accept security incidents that occur despite an organization's best efforts at protection. I don't accept poor behavior that seems to go against common sense.
Past Breaches:
Unknown
Posts Atom 1.0
Comments