A laptop is stolen from an LPL Financial office in Michigan
Technorati Tag: Security Breach
Date Reported:
7/24/08
Organization:
LPL Financial ("LPL")
Contractor/Consultant/Branch:
William and Nathanael Flynn
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"name, Social Security number, account number, and date of birth"
Breach Description:
"We write to advise you of an incident involving a burglary of an office of LPLFinancial ("LPL"), which resulted in a stolen laptop. The office is located in Lansing, MI and the break-in occurred on April 4, 2008. To our knowledge, the laptop contained certain personal information"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We write to advise you of an incident involving a burglary of an office of LPL Financial ("LPL"), which resulted in a stolen laptop.
The office is located in Lansing, MI and the break-in occurred on April 4, 2008.
[Evan] The breach notification letter is dated 7/24/08.
stolen from the office of William and Nathanael Flynn
[Evan] At 1400 Abbott Rd., Suite 300 - East Lansing, MI
The stolen laptop contained certain personal information belonging to customers of LPL that was not encrypted.
[Evan] In this day and age, who should expect a laptop storing confidential information to be encrypted? Oh wait, we ALL should!
LPL first learned of this incident on April 4, 2008 and took the following actions: (1) notified law enforcement; (2) determined what information had been compromised; (3) investigated the situation; and (4) notified and offered solutions to the affected individuals.
On April 4, 2008 one or more unknown persons broke into and entered the office identified above and stole a laptop computer.
The laptop contained unencrypted names, Social Security numbers and account statements of customers and non customer beneficiaries.
[Evan] The breach notification letter mentions the lack of encryption at least three times. LPL deserves some credit for honesty.
we have no evidence that the information has been misused
Internal reports were run to identify all of the clients whose information could have been accessed on the laptop.
[Evan] The New Hampshire breach notification mentions that only one New Hampshire resident was identified, but remember that this laptop was stolen from an office in Michigan. We probably wouldn't expect many New Hampshire residents to be affected by a laptop stolen from the office of a financial adviser in East Lansing, Michigan.
The internal reports were then used to generate mailing lists for the customer notification.
In order to ensure that affected individuals could take immediate steps to protect themselves from possible identity theft or other monetary damage, LPL moved quickly to inform them of the incident.
[Evan] Yes, the breach notification does state "immediate steps", although the breach occurred in April.
The communication was sent by first-class mail in July, 2008.
[Evan] April, 2008 - July, 2008 is more than 3 months. This seems like an abnormally long amount of time to reconstruct what may have been on the stolen laptop.
LPL retained Kroll Inc. ("Kroll"), a risk consulting company, to provide toll-free access to its Customer Solutions Center, along with credit monitoring services and identity theft restoration services.
Moreover, if the affected individual provides Kroll a Limited Power of Attorney, Kroll will work on his or her behalf to restore his or her identity, including, among other services, (1) issuing fraud alerts to government agencies and credit reporting agencies; (2) conducting a search of non-credit-data records to detect any other fraudulent activity committed in the person's name; (3) working with account holders and credit reporting agencies to dispute fraudulent accounts; and (4) working with law enforcement agencies to prevent additional fraudulent activity
[Evan] This might seem a little scary to some people.
LPL has taken several important steps to improve the level of its data security by increasing the profile of data security issues within the company at all levels, up to and including senior management.
[Evan] Good! Information security is a discipline requiring constant improvement.
In March 2008, LPL hired Marc Loewenthal as SVP Chief Security Privacy Officer, a newly created position at LPL.
[Evan] Before LPL, Mr. Loewenthal worked in a similar position at New Century Financial. I wonder how big of a mess he inherited when he stepped on at LPL. I also wonder how big of a mess he still has.
Mr. Loewenthal has extensive experience in the area of data protection.
As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I would be more impressed if he reported directly to the Chief EXECUTIVE Officer. After all, the CEO runs the ship and should like to know immediately if his cargo is getting wet.
In addition, LPL has developed a new, comprehensive information privacy and security program, with new policies and procedures that were implemented in April 2008.
LPL has also begun a project to encrypt data maintained on the laptops used by its employees and representatives.
We apologize for any inconvenience or concern this situation may cause.
Commentary:
I don't envy walking into a newly created information security lead position. I have had the privilege of doing it twice in consecutive positions at public companies. Neither was as large as LPL, but the process is similar. The letter to customers was written by Mr. Loewenthal.
Past Breaches:
May, 2008 - LPL Financial reports eighteen compromised logons
Date Reported:7/24/08
Organization:
LPL Financial ("LPL")
Contractor/Consultant/Branch:
William and Nathanael Flynn
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"name, Social Security number, account number, and date of birth"
Breach Description:
"We write to advise you of an incident involving a burglary of an office of LPLFinancial ("LPL"), which resulted in a stolen laptop. The office is located in Lansing, MI and the break-in occurred on April 4, 2008. To our knowledge, the laptop contained certain personal information"
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
We write to advise you of an incident involving a burglary of an office of LPL Financial ("LPL"), which resulted in a stolen laptop.
The office is located in Lansing, MI and the break-in occurred on April 4, 2008.
[Evan] The breach notification letter is dated 7/24/08.
stolen from the office of William and Nathanael Flynn
[Evan] At 1400 Abbott Rd., Suite 300 - East Lansing, MI
The stolen laptop contained certain personal information belonging to customers of LPL that was not encrypted.
[Evan] In this day and age, who should expect a laptop storing confidential information to be encrypted? Oh wait, we ALL should!
LPL first learned of this incident on April 4, 2008 and took the following actions: (1) notified law enforcement; (2) determined what information had been compromised; (3) investigated the situation; and (4) notified and offered solutions to the affected individuals.
On April 4, 2008 one or more unknown persons broke into and entered the office identified above and stole a laptop computer.
The laptop contained unencrypted names, Social Security numbers and account statements of customers and non customer beneficiaries.
[Evan] The breach notification letter mentions the lack of encryption at least three times. LPL deserves some credit for honesty.
we have no evidence that the information has been misused
Internal reports were run to identify all of the clients whose information could have been accessed on the laptop.
[Evan] The New Hampshire breach notification mentions that only one New Hampshire resident was identified, but remember that this laptop was stolen from an office in Michigan. We probably wouldn't expect many New Hampshire residents to be affected by a laptop stolen from the office of a financial adviser in East Lansing, Michigan.
The internal reports were then used to generate mailing lists for the customer notification.
In order to ensure that affected individuals could take immediate steps to protect themselves from possible identity theft or other monetary damage, LPL moved quickly to inform them of the incident.
[Evan] Yes, the breach notification does state "immediate steps", although the breach occurred in April.
The communication was sent by first-class mail in July, 2008.
[Evan] April, 2008 - July, 2008 is more than 3 months. This seems like an abnormally long amount of time to reconstruct what may have been on the stolen laptop.
LPL retained Kroll Inc. ("Kroll"), a risk consulting company, to provide toll-free access to its Customer Solutions Center, along with credit monitoring services and identity theft restoration services.
Moreover, if the affected individual provides Kroll a Limited Power of Attorney, Kroll will work on his or her behalf to restore his or her identity, including, among other services, (1) issuing fraud alerts to government agencies and credit reporting agencies; (2) conducting a search of non-credit-data records to detect any other fraudulent activity committed in the person's name; (3) working with account holders and credit reporting agencies to dispute fraudulent accounts; and (4) working with law enforcement agencies to prevent additional fraudulent activity
[Evan] This might seem a little scary to some people.
LPL has taken several important steps to improve the level of its data security by increasing the profile of data security issues within the company at all levels, up to and including senior management.
[Evan] Good! Information security is a discipline requiring constant improvement.
In March 2008, LPL hired Marc Loewenthal as SVP Chief Security Privacy Officer, a newly created position at LPL.
[Evan] Before LPL, Mr. Loewenthal worked in a similar position at New Century Financial. I wonder how big of a mess he inherited when he stepped on at LPL. I also wonder how big of a mess he still has.
Mr. Loewenthal has extensive experience in the area of data protection.
As a member of senior management, he reports directly to the Chief Risk Officer of LPL.
[Evan] I would be more impressed if he reported directly to the Chief EXECUTIVE Officer. After all, the CEO runs the ship and should like to know immediately if his cargo is getting wet.
In addition, LPL has developed a new, comprehensive information privacy and security program, with new policies and procedures that were implemented in April 2008.
LPL has also begun a project to encrypt data maintained on the laptops used by its employees and representatives.
We apologize for any inconvenience or concern this situation may cause.
Commentary:
I don't envy walking into a newly created information security lead position. I have had the privilege of doing it twice in consecutive positions at public companies. Neither was as large as LPL, but the process is similar. The letter to customers was written by Mr. Loewenthal.
Past Breaches:
May, 2008 - LPL Financial reports eighteen compromised logons
Posts Atom 1.0
Comments