Nye Lubricants employee gains unauthorized access to network
Technorati Tag: Security Breach
Date Reported:
8/22/08
Organization:
Nye Lubricants
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
173
Types of Data:
"names, and social security numbers, among other information"
Breach Description:
"The Company recently learned that on or about August 15, 2008, an employee without proper authority accessed the Company's computer network."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The Company recently learned that on or about August 15, 2008, an employee without proper authority accessed the Company's computer network.
[Evan] This first statement is a little confusing. Employees are typically granted access to company networks.
Despite our efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised - only that the opportunity for unauthorized access or use of personal information existed.
[Evan] So did Nye sound the alarm due to the fact that an employee accessed the network when he/she was not authorized to do so, and nothing more?
Unfortunately, we cannot determine whether anyone's personal information was accessed or used improperly.
The databases at issue contained names and social security number, among other information.
It appears that as many as 173 individuals could have been affected
We take the possibility of identity theft very seriously and therefore, are sending a precautionary advisory to individuals who potentially could have been affected.
We apologize for this situation and any inconvenience it may cause you.
Shortly after discovering the irregular activities referenced above, Company officials commenced an investigation and examined its systems in order to determine the nature and scope of the unauthorized access and use of these systems.
Please know that the Company also is taking immediate steps to enhance the security of its information systems going forward.
[Evan] Does anyone know what vulnerability was exploited and what needs to be enhanced?
The Company's actions in this regard are ongoing.
Based on our investigation to date, we are not aware of any specific cases of misuse of personal information that was maintained on the Company's information systems affected by this incident.
While we believe that there is little likelihood your information will be misused as a result of this incident, as a precaution we have arranged for Privacy Solutions, LLC to provide affected employees who enroll, with an Identification Theft Deterrent program.
If Human Resources does not hear from you by September 12, 2008, you will no longer be eligible to enroll in the program.
The Company takes data security very seriously and has taken steps to minimize the risks from this incident.
Please contact Anne MacLellan, at if you have any questions.
Commentary:
There is much more to this story than that which is disclosed in the breach notification. I don't think that it makes much sense to notify attorney generals and concerned people if there is no tangible evidence that there was any real increased risk to personal information. I applaud Nye for be cautious, but sometimes too much caution causes too much panic.
Past Breaches:
Unknown
Date Reported:8/22/08
Organization:
Nye Lubricants
Contractor/Consultant/Branch:
None
Victims:
Current and former employees
Number Affected:
173
Types of Data:
"names, and social security numbers, among other information"
Breach Description:
"The Company recently learned that on or about August 15, 2008, an employee without proper authority accessed the Company's computer network."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
The Company recently learned that on or about August 15, 2008, an employee without proper authority accessed the Company's computer network.
[Evan] This first statement is a little confusing. Employees are typically granted access to company networks.
Despite our efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised - only that the opportunity for unauthorized access or use of personal information existed.
[Evan] So did Nye sound the alarm due to the fact that an employee accessed the network when he/she was not authorized to do so, and nothing more?
Unfortunately, we cannot determine whether anyone's personal information was accessed or used improperly.
The databases at issue contained names and social security number, among other information.
It appears that as many as 173 individuals could have been affected
We take the possibility of identity theft very seriously and therefore, are sending a precautionary advisory to individuals who potentially could have been affected.
We apologize for this situation and any inconvenience it may cause you.
Shortly after discovering the irregular activities referenced above, Company officials commenced an investigation and examined its systems in order to determine the nature and scope of the unauthorized access and use of these systems.
Please know that the Company also is taking immediate steps to enhance the security of its information systems going forward.
[Evan] Does anyone know what vulnerability was exploited and what needs to be enhanced?
The Company's actions in this regard are ongoing.
Based on our investigation to date, we are not aware of any specific cases of misuse of personal information that was maintained on the Company's information systems affected by this incident.
While we believe that there is little likelihood your information will be misused as a result of this incident, as a precaution we have arranged for Privacy Solutions, LLC to provide affected employees who enroll, with an Identification Theft Deterrent program.
If Human Resources does not hear from you by September 12, 2008, you will no longer be eligible to enroll in the program.
The Company takes data security very seriously and has taken steps to minimize the risks from this incident.
Please contact Anne MacLellan, at if you have any questions.
Commentary:
There is much more to this story than that which is disclosed in the breach notification. I don't think that it makes much sense to notify attorney generals and concerned people if there is no tangible evidence that there was any real increased risk to personal information. I applaud Nye for be cautious, but sometimes too much caution causes too much panic.
Past Breaches:
Unknown
Posts Atom 1.0
Comments