Job board breach affects some PSS World Medical applicants
Technorati Tag: Security Breach
Date Reported:
9/15/08
Organization:
PSS World Medical, Inc
Contractor/Consultant/Branch:
None
Location:
Jacksonville, Florida
Victims:
"certain individuals who posted their information to the career board website"
Number Affected:
Unknown*
*Approximately 116 New Hampshire residents
Types of Data:
"personal information such as name, address, date of birth, driver's license number and Social Security number"
Breach Description:
In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company "recently became aware of an incident involving unauthorized access to" the company's career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their information on the site.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
In accordance with N.H. Rev. Stat. Ann. 359, we are providing you with written notification regarding the nature and circumstances of a recent data security incident.
We recently became aware of an incident involving unauthorized access to PSS World Medical, Inc.'s career board website.
The event may have resulted in unauthorized access to certain personal information such as name, address, date of birth, driver's license number and Social Security number of certain individuals who posted their information to the career board website.
[Evan] What event? What happened? Did someone/something circumvent authentication? Did someone take advantage of a vulnerability on the site? Did an admin's machine get infected with malware (virus, trojan, spyware, etc.)? No clue.
While we believe personal information may have been accessed, we have no evidence that any information has been obtained or misused.
[Evan] The statement above was written in the letter to the AG, this was slightly different in the letter to victims. "While personal information was at risk of being accessed, we have no evidence that the information has been misused." See a difference, ever so slight?
We have taken steps to enhance our security procedures to help ensure that this type of incident does not happen again.
[Evan] How? What about this statement should provide anyone with a sense of security? Readers aren't provided with enough information, and no detail.
We regret that this incident may affect you.
We take our obligation to safeguard personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself from possible identity fraud.
If you would like to speak with us, please call us toll-free at , Monday through Friday, between 9:00 AM -5:00PM Eastern.
[Evan] The company is providing free credit monitoring to the affected persons, although it is not clear for how long.
Commentary:
There are a heckuva lotta words in the breach notification that don't tell people much about much. We know that unauthorized access was obtained to the PSS World Medical job board website which allowed access to personal information. We don't know how. We don't know if the unauthorized access originated from inside the company or from the outside. We don't know if the breach was caused by a technical vulnerability, poor configuration, or employee mistake. Who knows?
Past Breaches:
Unknown
Date Reported:9/15/08
Organization:
PSS World Medical, Inc
Contractor/Consultant/Branch:
None
Location:
Jacksonville, Florida
Victims:
"certain individuals who posted their information to the career board website"
Number Affected:
Unknown*
*Approximately 116 New Hampshire residents
Types of Data:
"personal information such as name, address, date of birth, driver's license number and Social Security number"
Breach Description:
In a breach notification letter sent to the New Hampshire State Attorney General, PSS World Medical states that the company "recently became aware of an incident involving unauthorized access to" the company's career board website. The unauthorized access resulted in the exposure of personal information belonging to job applicants and others that may have posted their information on the site.
Reference URL:
The New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
In accordance with N.H. Rev. Stat. Ann. 359, we are providing you with written notification regarding the nature and circumstances of a recent data security incident.
We recently became aware of an incident involving unauthorized access to PSS World Medical, Inc.'s career board website.
The event may have resulted in unauthorized access to certain personal information such as name, address, date of birth, driver's license number and Social Security number of certain individuals who posted their information to the career board website.
[Evan] What event? What happened? Did someone/something circumvent authentication? Did someone take advantage of a vulnerability on the site? Did an admin's machine get infected with malware (virus, trojan, spyware, etc.)? No clue.
While we believe personal information may have been accessed, we have no evidence that any information has been obtained or misused.
[Evan] The statement above was written in the letter to the AG, this was slightly different in the letter to victims. "While personal information was at risk of being accessed, we have no evidence that the information has been misused." See a difference, ever so slight?
We have taken steps to enhance our security procedures to help ensure that this type of incident does not happen again.
[Evan] How? What about this statement should provide anyone with a sense of security? Readers aren't provided with enough information, and no detail.
We regret that this incident may affect you.
We take our obligation to safeguard personal information very seriously and, therefore, we are alerting you so you can take steps to protect yourself from possible identity fraud.
If you would like to speak with us, please call us toll-free at , Monday through Friday, between 9:00 AM -5:00PM Eastern.
[Evan] The company is providing free credit monitoring to the affected persons, although it is not clear for how long.
Commentary:
There are a heckuva lotta words in the breach notification that don't tell people much about much. We know that unauthorized access was obtained to the PSS World Medical job board website which allowed access to personal information. We don't know how. We don't know if the unauthorized access originated from inside the company or from the outside. We don't know if the breach was caused by a technical vulnerability, poor configuration, or employee mistake. Who knows?
Past Breaches:
Unknown
Posts Atom 1.0
Comments