UTUIA laptops are missing after shipment
Technorati Tag: Security Breach
Date Reported:
6/9/08
Organization:
United Transportation Union Insurance Association ("UTUIA")
Contractor/Consultant/Branch:
Westin Hotels and Resorts
United Parcel Service
Victims:
Policyholders
Number Affected:
Unknown
Types of Data:
"names and social security numbers"
Breach Description:
Two laptop computers shipped via UPS to UTUIA offices are missing. One of the laptops may contain sensitive personal information belonging to UTUIA policyholders.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent security incident involving UTUIA, headquartered in Ohio.
During shipment of UTUIA laptop computers to UTUIA offices, laptops have been reported missing.
[Evan] The notification letter sent to victims mentions two laptops.
The laptops may have contained personal information, including names and social security numbers, about policyholders
UTUIA has reported the missing laptops to law enforcement authorities and is pursuing the return of these laptops.
United Transportation Union Insurance Association has filed police reports, is coordinating with the hotel involved (Westin San Francisco) and has notified UPS of the missing items.
[Evan] Based on the information so far, it appears that UTUIA arranged for Westin to ship two laptops via UPS. One of the laptops contained sensitive personal information. There is no mention of encryption or any other protections in the breach notification, so we can only imagine.
Given the time that has passed since notification, we believe the likelihood of timely recovery is low and therefore are proceeding with notification.
[Evan] How much time has passed since the laptops were lost/stolen? Neither the New Hampshire or victim notifications disclose this important piece of information.
Currently, there is no indication that the laptop was stolen for its content, but it is possible that there was unauthorized access to information
[Evan] Do you think that a thief would announce his/her intentions for stealing the laptop? I don't think so. What indication an investigator look for to explain a thief's motives?
We regret this unfortunate situation, and although we have no evidence at this time that any personal information has been accessed or misused, we encourage you to take preventative measures.
[Evan] What "preventative measures" did UTUIA use to protect personal information for which they were not the owners? Who knows?
We sincerely apologize for any inconvenience that this may cause you.
If you have additional questions, please call us toll-free at between 8:30 a.m. and 4:30 p.m. eastern time, or contact us by mail at 14600 Detroit Avenue, Cleveland, Ohio 44107.
Commentary:
In my opinion, there is not enough information in the breach notification sent to the New Hampshire Attorney General or victims. Customers deserve more information about what an organization plans to do in order to provide an adequate amount (owner's discretion) of security. Based on the information we've read in the breach notification, there is no basis for judgment, which is sad.
What exactly does UTUIA do to protect the confidential information belonging to policyholders?
Past Breaches:
Unknown
Date Reported:6/9/08
Organization:
United Transportation Union Insurance Association ("UTUIA")
Contractor/Consultant/Branch:
Westin Hotels and Resorts
United Parcel Service
Victims:
Policyholders
Number Affected:
Unknown
Types of Data:
"names and social security numbers"
Breach Description:
Two laptop computers shipped via UPS to UTUIA offices are missing. One of the laptops may contain sensitive personal information belonging to UTUIA policyholders.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a recent security incident involving UTUIA, headquartered in Ohio.
During shipment of UTUIA laptop computers to UTUIA offices, laptops have been reported missing.
[Evan] The notification letter sent to victims mentions two laptops.
The laptops may have contained personal information, including names and social security numbers, about policyholders
UTUIA has reported the missing laptops to law enforcement authorities and is pursuing the return of these laptops.
United Transportation Union Insurance Association has filed police reports, is coordinating with the hotel involved (Westin San Francisco) and has notified UPS of the missing items.
[Evan] Based on the information so far, it appears that UTUIA arranged for Westin to ship two laptops via UPS. One of the laptops contained sensitive personal information. There is no mention of encryption or any other protections in the breach notification, so we can only imagine.
Given the time that has passed since notification, we believe the likelihood of timely recovery is low and therefore are proceeding with notification.
[Evan] How much time has passed since the laptops were lost/stolen? Neither the New Hampshire or victim notifications disclose this important piece of information.
Currently, there is no indication that the laptop was stolen for its content, but it is possible that there was unauthorized access to information
[Evan] Do you think that a thief would announce his/her intentions for stealing the laptop? I don't think so. What indication an investigator look for to explain a thief's motives?
We regret this unfortunate situation, and although we have no evidence at this time that any personal information has been accessed or misused, we encourage you to take preventative measures.
[Evan] What "preventative measures" did UTUIA use to protect personal information for which they were not the owners? Who knows?
We sincerely apologize for any inconvenience that this may cause you.
If you have additional questions, please call us toll-free at between 8:30 a.m. and 4:30 p.m. eastern time, or contact us by mail at 14600 Detroit Avenue, Cleveland, Ohio 44107.
Commentary:
In my opinion, there is not enough information in the breach notification sent to the New Hampshire Attorney General or victims. Customers deserve more information about what an organization plans to do in order to provide an adequate amount (owner's discretion) of security. Based on the information we've read in the breach notification, there is no basis for judgment, which is sad.
What exactly does UTUIA do to protect the confidential information belonging to policyholders?
Past Breaches:
Unknown
Posts Atom 1.0
Comments