Some Orbitz employees may be affected by stolen laptop
Technorati Tag: Security Breach
Date Reported:
9/24/08
Organization:
Orbitz Worldwide
Contractor/Consultant/Branch:
None
Location:
Chicago, Illinois
Victims:
U.S.-based employees
Number Affected:
"some" otherwise not mentioned
Types of Data:
"payroll files that included the names, Social Security numbers and dollar amounts of flexible spending plan contributions"
Breach Description:
The New Hampshire State Attorney General was notified of an incident that "involved the theft of a password protected laptop computer from the car of an Orbitz Worldwide employee". The laptop may have contained sensitive personal information belonging to "some" U.S.-based employees of the company.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to RSA 359-C:20, I (b), we are writing to notify you of an incident that occurred on September 8, 2008 that may affect personally identifiable information
[Evan] I think Orbitz deserves some credit for a speedy notification. September 8th through September 24th (the date on the breach notification letter) is only 16 days.
The incident involved the theft of a password protected laptop computer from the car of an Orbitz Worldwide employee that occurred in Chicago, Illinois.
[Evan] Why do you suppose Orbitz mentions "password protected"? Does anyone actually think that password protection (in the sense that they are likely referring to here) is adequate? Less than five minutes for someone with any computer skills and the password is useless. I don't think I would have even mentioned it.
Orbitz reported the theft to the police department, but the laptop has not been recovered.
After investigating this incident, we believe that this laptop may have contained files that included the names and Social Security numbers of some of our U.S.-based employees
[Evan] Not cool.
We have no reason to believe that the computer was stolen to access any information and cannot conclusively confirm whether the laptop contained your information.
because we are not able to rule out this possibility, we are exercising an abundance of caution
[Evan] Obviously, it would be better if the "abundance of caution" were used prior to the theft. When I think about it, I don't even like an "abundance of caution". I like just the right amount of caution whenever possible.
Orbitz Worldwide is taking measures to minimize the risk of such data compromises in the future, including renewed employee security training and acceleration of the company wide laptop encryption initiative which began prior to the laptop theft.
[Evan] Excellent! I like how Orbitz didn't just say "we are taking measures to minimize risk", but also chose to elaborate. Improved (and hopefully regular) security training is a good administrative control and encryption of laptops is a a fine logical one.
each of the affected individuals will be offered a year of credit monitoring at no charge
If you choose to enroll in this product, you will need to activate it by December 30, 2008.
Orbitz Worldwide plans to notify potentially affected individuals on or before September 25, 2008, by U.S. mail.
Orbitz Worldwide considers the protection of the personal information of its employees and former employees to be one of its highest priorities.
If you have any questions concerning this incident, we encourage you to call the toll-free number we have established to answer any questions, 1-, between the hours of 8 a.m. and 6 p.m. Central time, Monday through Friday.
Commentary:
The fact that only 16 days had passed before Orbitz had notified the New Hampshire Attorney General kind of leads me to believe that Orbitz has a formal incident response plan (policy and procedures). That's a good thing. Every company should.
I like the response of "renewed employee training" and accelerated deployment of encryption on laptops. These controls should decrease the chances of a similar occurrence. I hope that the "renewed employee training" is a ongoing process, say annual?
Past Breaches:
Unknown
Date Reported:9/24/08
Organization:
Orbitz Worldwide
Contractor/Consultant/Branch:
None
Location:
Chicago, Illinois
Victims:
U.S.-based employees
Number Affected:
"some" otherwise not mentioned
Types of Data:
"payroll files that included the names, Social Security numbers and dollar amounts of flexible spending plan contributions"
Breach Description:
The New Hampshire State Attorney General was notified of an incident that "involved the theft of a password protected laptop computer from the car of an Orbitz Worldwide employee". The laptop may have contained sensitive personal information belonging to "some" U.S.-based employees of the company.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
Pursuant to RSA 359-C:20, I (b), we are writing to notify you of an incident that occurred on September 8, 2008 that may affect personally identifiable information
[Evan] I think Orbitz deserves some credit for a speedy notification. September 8th through September 24th (the date on the breach notification letter) is only 16 days.
The incident involved the theft of a password protected laptop computer from the car of an Orbitz Worldwide employee that occurred in Chicago, Illinois.
[Evan] Why do you suppose Orbitz mentions "password protected"? Does anyone actually think that password protection (in the sense that they are likely referring to here) is adequate? Less than five minutes for someone with any computer skills and the password is useless. I don't think I would have even mentioned it.
Orbitz reported the theft to the police department, but the laptop has not been recovered.
After investigating this incident, we believe that this laptop may have contained files that included the names and Social Security numbers of some of our U.S.-based employees
[Evan] Not cool.
We have no reason to believe that the computer was stolen to access any information and cannot conclusively confirm whether the laptop contained your information.
because we are not able to rule out this possibility, we are exercising an abundance of caution
[Evan] Obviously, it would be better if the "abundance of caution" were used prior to the theft. When I think about it, I don't even like an "abundance of caution". I like just the right amount of caution whenever possible.
Orbitz Worldwide is taking measures to minimize the risk of such data compromises in the future, including renewed employee security training and acceleration of the company wide laptop encryption initiative which began prior to the laptop theft.
[Evan] Excellent! I like how Orbitz didn't just say "we are taking measures to minimize risk", but also chose to elaborate. Improved (and hopefully regular) security training is a good administrative control and encryption of laptops is a a fine logical one.
each of the affected individuals will be offered a year of credit monitoring at no charge
If you choose to enroll in this product, you will need to activate it by December 30, 2008.
Orbitz Worldwide plans to notify potentially affected individuals on or before September 25, 2008, by U.S. mail.
Orbitz Worldwide considers the protection of the personal information of its employees and former employees to be one of its highest priorities.
If you have any questions concerning this incident, we encourage you to call the toll-free number we have established to answer any questions, 1-, between the hours of 8 a.m. and 6 p.m. Central time, Monday through Friday.
Commentary:
The fact that only 16 days had passed before Orbitz had notified the New Hampshire Attorney General kind of leads me to believe that Orbitz has a formal incident response plan (policy and procedures). That's a good thing. Every company should.
I like the response of "renewed employee training" and accelerated deployment of encryption on laptops. These controls should decrease the chances of a similar occurrence. I hope that the "renewed employee training" is a ongoing process, say annual?
Past Breaches:
Unknown
Posts Atom 1.0
Hi Evan,
I got a statement statement from them that adds an interesting piece of info -- they decided to inform *all* of their employees in the U.S. about this incident, even though not all are being offered the credit monitoring. My impression is that they were notifying everyone as part of their reminder to employees on the need for security.
And certainly letting everyone know might help prevent a repeat by another employee elsewhere who would not otherwise have learned of the incident.
Cheers,
/Dissent
Reply to this