Laptop stolen from the home of a BearingPoint employee
Technorati Tag: Security Breach
Date Reported:
6/5/08
Organization:
BearingPoint, Inc.
Contractor/Consultant/Branch:
None
Victims:
Independent BearingPoint contractors
Number Affected:
Unknown
Types of Data:
"first and last name and Social Security Number"
Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.
Reference URL:
The Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"
To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.
Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?
The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.
On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.
The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.
The investigation into the burglary is on-going and BearingPoint is cooperating fully.
BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.
BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?
The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.
We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.
The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.
In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.
To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo
BearingPoint recognizes this development, and any related inconvenience, might be upsetting.
We regret this incident has occurred and we apologize for any inconvenience it may cause you.
As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?
To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.
Please contact should you have additional questions regarding the cirumstance of the incident.
BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.
Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.
It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.
No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.
Past Breaches:
Unknown
Date Reported:6/5/08
Organization:
BearingPoint, Inc.
Contractor/Consultant/Branch:
None
Victims:
Independent BearingPoint contractors
Number Affected:
Unknown
Types of Data:
"first and last name and Social Security Number"
Breach Description:
On May 14, 2008 a BearingPoint company-issued laptop was stolen from the residence of an employee. The laptop contained sensitive personal information belonging to a number of BearingPoint independent contractors.
Reference URL:
The Maryland State Attorney General breach notification
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
BearingPoint recognizes the importance of safeguarding the personal information it handles in the course of conducting business.
[Evan] As demonstrated on their web site. The number "8" followed by "The number of years in a row that identity theft has been the #1 internet crime"
To that end, we have implemented safeguards for the information.
[Evan] OK, I am following so far.
Even the most rigorous safeguards, however, can not guarantee protection against criminal conduct.
[Evan] Well, I think "rigorous safeguards" needs to be quantified somewhat. What are "rigorous safeguards" and how do they apply to this breach?
The Company was recently victimized by such conduct and we are writing to inform you that this criminal conduct might have a direct impact on you.
[Evan] Uh oh, here it comes. Not only was "The Company" recently victimized, but just as importantly, the owners of the personal information were victimized as well.
On May 14, 2008, the residence of one of our employees was burglarized and the company-issued laptop computer was taken amongst other personal property.
The employee promptly reported the theft to the Atlanta Police Department, which is investigating the break in.
The investigation into the burglary is on-going and BearingPoint is cooperating fully.
BearingPoint worked diligently to reconstruct the information stored on the stolen laptop.
BearingPoint has been able to determine that the computer contains the name and social security number of independent contractors.
[Evan] Recognizing the importance of safeguarding personal information, is storing personal information on a laptop (presumably without encryption due to the fact that there is no mention of it) a prudent practice?
The stolen laptop did not contain credit or debit card numbers, or financial account numbers.
[Evan] So a criminal would have to open his/her own accounts using the other information that WAS on the laptop.
We have no reason to believe that the information stored on the stolen laptop was the target of the burglary or that the information has been misused.
The personal information on the laptop can be accessed only with two passwords and two forms of authentication.
[Evan] The "passwords" are the authentication. I am guessing that BearingPoint meant two forms of identification (probably usernames). Again, I am guessing that one of the username/passwords is for the operating system itself which takes less than 10 minutes to bypass in most instances and I am guessing that the other username/password combination is file access for which there are known workarounds in many common applications (Word, Excel, PowerPoint, etc.). Either way, I think that this excerpt is meant to minimize the situation with a strong bias towards saving face.
In addition, the personal information was not stored in a single file or spreadsheet but dispersed among numerous files.
[Evan] Information security personnel know better than to argue the security through obscurity defense.
To date, we have received no report indicating that the information stored on the laptops has been accessed or misused.
[Evan] I think "laptops" in the breach notification is a typo
BearingPoint recognizes this development, and any related inconvenience, might be upsetting.
We regret this incident has occurred and we apologize for any inconvenience it may cause you.
As a result of this incident, we have taken immediate steps to review our current policies and procedures to further enhance security for personal data we handle and to reduce the risk of recurrence.
[Evan] Restrict ability to store confidential information on mobile devices? Encryption? Two-factor authentication?
To lessen the potential inconvenience to you and reduce the risk that you might be subjected to attempts to steal your identity, we have engaged ConsumerInfo.com Inc., and Experian company, to provide you with one year of credit monitoring, at no cost to you.
Please contact should you have additional questions regarding the cirumstance of the incident.
BearingPoint currently anticipates notifying affected individuals on or before June 6, 2008, of this incident.
Commentary:
Marketing on the BearingPoint web site boasts "BearingPoint has demonstrated some of the biggest advancements in risk consulting services among the large number of providers in this market" - Forrester Wave: Risk Consulting Services, Q2, June 2007 Report.
It is disappointing to read about a well-respected company losing control of confidential information, but what makes this worse is the fact that it happened through the actions of a leading information security and risk consulting company. It is important to point out that one incident DOES NOT define a company.
No encryption or mention of it as a matter of policy, and the attempts to minimize the possible impact by mentioning ineffective controls (passwords and obscurity) is troubling.
Past Breaches:
Unknown
Posts Atom 1.0
Comments