Laptop containing personal information is stolen from U.S. Foodservice
Technorati Tag: Security Breach
Date Reported:
6/13/08
Organization:
U.S. Foodservice, Inc.
Contractor/Consultant/Branch:
None
Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"
Number Affected:
Unknown
Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"
Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.
Local authorities were immediately notified and we conducted an internal investigation.
the laptop contained certain old data files
[Evan] I wonder how old these data files were. I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.
In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.
We are sending a notification letter to individuals impacted by this incident.
We expect to begin mailing the notification letters on June 13, 2008.
we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.
Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company. USF is still required to collect Social Security numbers however.
Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies. Do the policies only require a user ID and password to protect (or access) confidential information? Probably not sufficient.
U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.
As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.
Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs. In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised. If you believe that password-protection provides reasonable assurance, then you and I disagree.
Call the Toll Free Help Line at 1- to get answer [sic] to your questions.
Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced. A poorly enforced policy isn't worth the paper its written on.
Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance. This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.
If only there were other controls available to protect information stored on a laptop. Wait, we do!
Past Breaches:
Unknown
Date Reported:6/13/08
Organization:
U.S. Foodservice, Inc.
Contractor/Consultant/Branch:
None
Victims:
Present and former employees, "and in a few instances, their dependents and applicants for jobs at USF"
Number Affected:
Unknown
Types of Data:
"names, social security numbers, home addresses, and/or dates of birth"
Breach Description:
"We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We were informed recently of the theft of a U.S. Foodservice, Inc. ("USF") laptop computer, which contained sensitive personnel information.
[Evan] We now add U.S. Foodservice to the ever-growing list of organizations that refuse to encrypt laptops, yet allow confidential information to be stored on them.
Local authorities were immediately notified and we conducted an internal investigation.
the laptop contained certain old data files
[Evan] I wonder how old these data files were. I also wonder if these files were supposed to have been removed and/or destroyed, but were missed.
In the course of our investigation, we determined that the laptop computer contained the names, social security numbers, home addresses, and/or dates of birth of some present and former USF employees, and in a few instances, their dependents and applicants for jobs at USF.
We are sending a notification letter to individuals impacted by this incident.
We expect to begin mailing the notification letters on June 13, 2008.
we have no indication that any of the information is being misused
[Evan] A breach notification is almost not a real breach notification without this mention.
Please note that several years ago, the Company stopped using social security numbers to identify employees for internal reporting or other purposes.
[Evan] A good move by the Company. USF is still required to collect Social Security numbers however.
Pursuant to USF policies, the laptop was protected by a unique user ID and password, but the individual files containing personal information were not encrypted or password protected.
[Evan] I am interested in reading the USF policies. Do the policies only require a user ID and password to protect (or access) confidential information? Probably not sufficient.
U.S. Foodservice takes the security of your personal information seriously and apologizes for any inconvenience or worry this incident may cause you.
As a precautionary measure, we are making several services available at the Company's expense, free of charge to you, to assist you in protecting your identity.
[Evan] A true "precautionary measure" might have been restricting confidential information storage on laptops (and other mobile media) or encryption.
Although at this point we have no indication that your information has been compromised
[Evan] My definition of "compromised" obviously differs. In my opinion, if the confidentiality, integrity or availability of information cannot be reasonable assured, then the information IS compromised. If you believe that password-protection provides reasonable assurance, then you and I disagree.
Call the Toll Free Help Line at 1- to get answer [sic] to your questions.
- Staffed by a team of professionals
- Monday through Friday from 6:00 a.m. to 6:00 p.m. (Pacific Daylight Time)
- Saturday and Sunday from 8:00 a.m. to 5:00 p.m. (Pacific Daylight Time)
Please know that while we have information security policies in place, we are reviewing those practices and procedures to see what changes need to be made.
[Evan] Its good the USF has information security policies in place, but it doesn't mean that they are effective or that they are well enforced. A poorly enforced policy isn't worth the paper its written on.
Commentary:
U.S. Foodservice is also offering one year of free credit monitoring and identity theft insurance. This would be fine minus the fact that a Social Security number has an effective lifespan that far exceeds one year.
If only there were other controls available to protect information stored on a laptop. Wait, we do!
Past Breaches:
Unknown
Posts Atom 1.0
Comments