Baxter International reports a stolen HR laptop
Technorati Tag: Security Breach
Date Reported:
7/11/07
Organization:
Baxter International Inc.
Contractor/Consultant/Branch:
None
Victims:
"current, former, and prospective U.S. employees"
Number Affected:
"roughly 6,900"
Types of Data:
"names, social security numbers, encoded information regarding background checks, and addresses"
Breach Description:
"Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois. On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter." The laptop contained sensitive personal information belonging to current, former and prospective employees.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois.
[Evan] Obviously, human resources personnel handle very sensitive information. Just a couple of weeks ago, the human resources department at a company I consult for sent a spreadsheet containing sensitive personal information to a group of unauthorized persons.
On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter.
Subsequently, we learned that two data files on the laptop contained personal information, including names, social security numbers, encoded information regarding background checks, and addresses of certain current, former, and prospective U.S. employees.
[Evan] Unencrypted, I presume.
No customer or patient data was included in these data files.
The data files included personal information of roughly 6,900 people
Baxter has notified and is working closely with local law enforcement officials to investigate this matter.
Additionally, we are developing policies and procedures to strengthen our data security policies to reduce, if not eliminate, the risk that data losses of this type ever occur again.
[Evan] Usually the best we can hope for is a reduction in risk. We (information security personnel) are in the risk reduction business, not the risk elimination business. We aim to bring residual risk to a level that is acceptable to the business. Do you suppose that a decision was made to not encrypt laptops at Baxter, or did they just not understand (or identify) the risk?
We are notifying our employees whose information may have been or may be compromised of this incident on Monday, July 14th by writing to them at their last known addresses.
I want to assure you that we are taking this incident seriously and taking steps to ensure that all of our data is as secure as possible.
[Evan] Ensuring that data "is as secure as possible" in the literal sense is not feasible. Can Baxter live up to this statement? I don't think any company can.
We deeply regret that this incident occurred.
On behalf of the entire Baxter organization and our dedicated human resources staff, I want to express our deepest regret for this unfortunate incident and let you know that we are doing everything we can to address the situation and assist you
We do not know that this information has been accessed and misused.
The stolen laptop required a user to enter certain user credentials, such as a correct username and password, in order to access the laptop computer.
[Evan] Anyone with little skill can easily access the laptop without the "certain user credentials" if the laptop is not protected with encryption (and pre-boot authentication)
We have retained Kroll Inc., a New-York based risk consulting firm and a global leader in data security, who has worked with other large corporations under similar circumstances, to provide its ID TheftSmart safeguards to you at no charge.
[Evan] It would have been a good proactive decision to have sought the advice of a good risk consulting firm before this incident. Other organizations should take heed.
You can reach the call center, toll-free, at 1-, anytime Monday through Friday from 8 a.m. to 5 p.m. central standard time.
We have formed an Information Security Assessment Team, which will assess our data security controls and recommend and implement steps to further strengthen those controls to appropriately reduce the risk of significant data loss, including restricting data access and requiring the use of encryption tools.
[Evan] Good! Let's hope that the Information Security Assessment Team is effective and remains an integral and regular part of Baxter's information security program long after this breach is forgotten.
Please be assured that we take this issue seriously.
Commentary:
A stolen laptop without encryption is the most common breach reported on The Breach Blog. The issues surrounding these types of breaches are very well-known risks that many organizations still seem willing to take. It’s a gamble and this time Baxter lost, who's next?
Past Breaches:
Unknown
Date Reported:7/11/07
Organization:
Baxter International Inc.
Contractor/Consultant/Branch:
None
Victims:
"current, former, and prospective U.S. employees"
Number Affected:
"roughly 6,900"
Types of Data:
"names, social security numbers, encoded information regarding background checks, and addresses"
Breach Description:
"Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois. On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter." The laptop contained sensitive personal information belonging to current, former and prospective employees.
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Recently, a Baxter human resources employee based in the U.S. was attending a human resources conference in Chicago, Illinois.
[Evan] Obviously, human resources personnel handle very sensitive information. Just a couple of weeks ago, the human resources department at a company I consult for sent a spreadsheet containing sensitive personal information to a group of unauthorized persons.
On June 24, 2008, a thief entered the hotel room of the employee while that employee was attending the conference, and stole a laptop computer belonging to Baxter.
Subsequently, we learned that two data files on the laptop contained personal information, including names, social security numbers, encoded information regarding background checks, and addresses of certain current, former, and prospective U.S. employees.
[Evan] Unencrypted, I presume.
No customer or patient data was included in these data files.
The data files included personal information of roughly 6,900 people
Baxter has notified and is working closely with local law enforcement officials to investigate this matter.
Additionally, we are developing policies and procedures to strengthen our data security policies to reduce, if not eliminate, the risk that data losses of this type ever occur again.
[Evan] Usually the best we can hope for is a reduction in risk. We (information security personnel) are in the risk reduction business, not the risk elimination business. We aim to bring residual risk to a level that is acceptable to the business. Do you suppose that a decision was made to not encrypt laptops at Baxter, or did they just not understand (or identify) the risk?
We are notifying our employees whose information may have been or may be compromised of this incident on Monday, July 14th by writing to them at their last known addresses.
I want to assure you that we are taking this incident seriously and taking steps to ensure that all of our data is as secure as possible.
[Evan] Ensuring that data "is as secure as possible" in the literal sense is not feasible. Can Baxter live up to this statement? I don't think any company can.
We deeply regret that this incident occurred.
On behalf of the entire Baxter organization and our dedicated human resources staff, I want to express our deepest regret for this unfortunate incident and let you know that we are doing everything we can to address the situation and assist you
We do not know that this information has been accessed and misused.
The stolen laptop required a user to enter certain user credentials, such as a correct username and password, in order to access the laptop computer.
[Evan] Anyone with little skill can easily access the laptop without the "certain user credentials" if the laptop is not protected with encryption (and pre-boot authentication)
We have retained Kroll Inc., a New-York based risk consulting firm and a global leader in data security, who has worked with other large corporations under similar circumstances, to provide its ID TheftSmart safeguards to you at no charge.
[Evan] It would have been a good proactive decision to have sought the advice of a good risk consulting firm before this incident. Other organizations should take heed.
You can reach the call center, toll-free, at 1-, anytime Monday through Friday from 8 a.m. to 5 p.m. central standard time.
We have formed an Information Security Assessment Team, which will assess our data security controls and recommend and implement steps to further strengthen those controls to appropriately reduce the risk of significant data loss, including restricting data access and requiring the use of encryption tools.
[Evan] Good! Let's hope that the Information Security Assessment Team is effective and remains an integral and regular part of Baxter's information security program long after this breach is forgotten.
Please be assured that we take this issue seriously.
Commentary:
A stolen laptop without encryption is the most common breach reported on The Breach Blog. The issues surrounding these types of breaches are very well-known risks that many organizations still seem willing to take. It’s a gamble and this time Baxter lost, who's next?
Past Breaches:
Unknown
Posts Atom 1.0
Comments