"many of Colt's clients" affected by breach, CNET included
Technorati Tag: Security Breach
Date Reported:
6/13/08
Organization:
CNET Networks, Inc. ("CNET")
Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")
Victims:
"current and former employees and their dependants"
Number Affected:
"around 6,500"
Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"
Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."
Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight
Report Credit:
The Maryland State Attorney General
Response:
From the online sources cited above:
On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.
Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.
The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598
Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.
The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.
Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.
report number 08-12367
In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.
The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.
some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.
We do not have any understanding that the computers stored personal health information.
Our client is providing written notification to all affected individuals at the last home address we have on record
Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.
Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.
Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.
Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.
We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!
Colt Express is looking into what additional steps may be taken to provide enhanced security.
By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?
Towards the end of last year, our customer base was reduced to an unsustainable level.
Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.
http://www.colthr.com/
Those decisions are now final.
We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.
We sincerely apologize for the inconvenience and concern this incident will cause.
Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.
This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).
Past Breaches:
Unknown
Date Reported:6/13/08
Organization:
CNET Networks, Inc. ("CNET")
Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")
Victims:
"current and former employees and their dependants"
Number Affected:
"around 6,500"
Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"
Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."
Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight
Report Credit:
The Maryland State Attorney General
Response:
From the online sources cited above:
On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.
Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.
The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598
Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.
The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.
Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.
report number 08-12367
In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.
The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.
some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.
We do not have any understanding that the computers stored personal health information.
Our client is providing written notification to all affected individuals at the last home address we have on record
Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.
Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.
Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.
Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.
We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!
Colt Express is looking into what additional steps may be taken to provide enhanced security.
By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?
Towards the end of last year, our customer base was reduced to an unsustainable level.
Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.
http://www.colthr.com/
Those decisions are now final.
We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.
We sincerely apologize for the inconvenience and concern this incident will cause.
Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.
This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).
Past Breaches:
Unknown
Posted by Evan Francen at 6/25/2008 10:57 AM 
Categories: Stolen Computer, Colt Express Outsourcing Services, CNET Networks
Categories: Stolen Computer, Colt Express Outsourcing Services, CNET Networks
Posts Atom 1.0
I just posted the fifth company/entity to be affected by the burglary at Colt on my site. For those keeping track, the list now stands at CNet, Avant!, Ebara Technologies, bebe, and Punahou School District. I also expect it to grow, although I doubt the numbers will even come close to ASI where you had a lot of insurance companies as clients.
What gets me about this breach is that not only was there the problem of unencrypted data at rest, but you had a lot of OLD data at rest, unencrypted, on these computers that were "password-protected." Why unencrypted data from clients who had already terminated their business contracts with Colt more than a year previously were still on computers is something to think about.
As to the "password-protected" bit and complaint of mine, because the owner told a client that the stolen computer was "password-protected," the client was not even sure that there had been a breach and wrote a notification letter to its affected individuals that suggested that there may have been no breach at all. I tried to explain to the client that if their data was on the machine (it was) and unencrypted (it was), then "password-protected" means little and they should have written a different notification letter.
Gah....
Reply to this
Add Google to the list of companies impacted by the Colt break-in.
Reply to this
I just got my letter, add PDL biopharma to the list too.
Reply to this
Amy: could you a copy of the notification you got from them, as I have no documentation on them being affected by the burglary.
John: that wasn't my estimate -- it was what the company reported to the AG, based on info Colt gave them, i you're referring to the C|net data.
Reply to this
I've got my letter from Intuit, dated 9/3/08. Add them to the company list. The letter tells that Intuit is hiring Kroll for 12 months ID protection. Thanks Intuit.
Reply to this
If you can send me a copy of the notification, I can add them to the list.
Did they mention why it took them so many months to send out the notification???
Reply to this
Forget about my request for the letter. I got a statement from Intuit so I can add them to the page on Colt. The only one I don't seem to have yet that's been mentioned here is Marvell. If anyone has a copy of that one, please send it to me.
Reply to this
Our HR dept is in the process of notifying 8000 people that their information was compromised so your estimate of 6500 is way too low.
Reply to this
I think it's shameful that this Colt HR company is even still in business. After reading the article on line about how, "The company's CEO, Samuel Colt III, said in a statement "We do not have the resources, financial and otherwise, to assist you further." is just absurd. I hope someone comes and shuts these people down. Especially considering they just decided to install an alarm system on their building on May 30th? Ooo ahhh wow. Whoever uses this company for services is violating their employees privacy right off the bat; drop them like a hot rock!! Obviously based off of the CEO's comments and the comments listed in this article, it is plain to see that this company is more interested in collecting money off stupid people than doing any kind of real business.
Truly appalled. This company never "assisted" anyone at all, aside from letting personal information get out. Good riddance. I hope to see an article about your "Out of Business" sign soon.
Reply to this
Add Exponent to the list of companies affected. I haven't worked there since 1999 and my data was part of the breach.
Here's the letter:
http://www.exponent.com/privacy/
Reply to this
Thanks, Larry! I've added Exponent to the list of companies affected.
If anyone else received a notification letter from a company we don't already know about, please either post info here, or email me with the info. I'd still like to see the letter from PDL Pharma mentioned earlier in this thread, and I suspect that there are still many more companies affected that we have yet to find out about.
Reply to this
The count is now up to 18 companies that we know about. I've created a chart with links here.
If anyone knows of other companies or receives a notification from another company, please share!
Reply to this
Wow! 18 companies? This is the breach that never ends...
Reply to this
Add Marvell Semiconductor to that list, I just received a similar letter to those posted this week.
Reply to this
D: I'd be happy to add them to the page set up on the breach, but I need documentation/proof in hand. If anyone can get me a copy of the letter, that would be good. I'll also keep checking the states attorney general sites that list breaches in case Marvell had to file with those states.
The count is now 20 without Marvell.... but I still think this is still relatively small compared to some other third-party breaches where we don't have full disclosure. The Willis breach is likely a big one. And I can only imagine what the numbers might be like on GE Money, BNY, etc. Gah....
Reply to this
When I received mail supposedly from Intuit on 9/12/08 I thought it might be a hoax as I have not heard anything about it in the news. Why was this not publicized? I was also suspicious because while at the same time they were alerting me of the theft of my personal information they were also soliciting me to sign up with IDTheftSmart. The offer comes with a form requiring that the same information reportedly stolen; i.e.. SS#, Date of birth be sent via mail to "Administrator" in Des Moines, IA. Again, why hasn't this been publicized? If it has I missed it. And like someone mentioned before it happened in May and we're just being notified in September.
Reply to this
The vast majority of breaches are not revealed voluntarily in a public way for fear of bad press or harm to reputation. Some companies don't reveal because they fear that the thieves will find out that there are sensitive data on the stolen equipment. Some companies don't reveal because of active law enforcement investigations. There are a number of reasons.
My site reveals breaches that have not made the media. So does this site, because both Evan and I use reports to attorney generals that are uploaded to the web. But most breaches do not make the mainstream media and sadly, even Evan and I do not find out about most breaches because most states do not publicly upload the notifications they receive about breaches in their respective states.
We need a federal disclosure law.
Reply to this
Colt has been going out of business for years now. They recruited me from an FSA provider I worked with for almost 4 years and 8 months later sold their FSA business to the company I left then laid me off, along with the majority of their top executives in August 2006. It is a very poorly run family business who takes on large clients they know up front that they cannot support. Then basically takes their money until the contracts terminate. Unfortunately I didn't learn this until I left my previous company.
Reply to this
Colt has been going out of business for years now. They recruited me from an FSA provider I worked with for almost 4 years and 8 months later sold their FSA business to the company I left then laid me off, along with the majority of their top executives in August 2006. It is a very poorly run family business who takes on large clients they know up front that they cannot support. Then basically takes their money until the contracts terminate. Unfortunately I didn't learn this until I left my previous company.
Reply to this