Stolen Starbucks laptop contained sensitive partner information
Technorati Tag: Security Breach
Date Reported:
11/22/08
Organization:
Starbucks Corporation
Contractor/Consultant/Branch:
None
Location:
Seattle, Washington*
*Starbucks headquarters. The incident took place at an "unspecified location"
Victims:
"partners" (employees)
Number Affected:
"approximately 97,000"
Types of Data:
"private information (including name, address and social security number)"
Breach Description:
"Starbucks Corp. confirmed Monday that a laptop containing private information on 97,000 employees was stolen Oct. 29."
Reference URL:
starbucks gossip
KING-TV News
Seattle Post Intelligencer
KOMO News
Report Credit:
starbucks gossip
Response:
From the online sources cited above:
Starbucks Corp. confirmed Monday that a laptop containing private information on 97,000 employees was stolen Oct. 29.
The information included names, addresses and Social Security numbers, according to an undated memo addressed to affected employees.
[Evan] Obvious questions include why is sensitive information permitted on mobile devices (such as laptops, PDAs, flash drives, etc.) and why aren't mobile devices encrypted? This isn't some kind of new way to lose control of sensitive information.
Commentary:
It seems like it has been a while since we read about a lost/stolen laptop.
If laptops are permitted at your organization, and you believe that there is a chance that they might be used to store sensitive (personal, financial, medical, non-public business, etc.) information, it might be a good idea to inform the people responsible for information security within your organization and ask questions. In my opinion, good information security professionals would appreciate it, if for nothing else but assurance that the user community is involved.
Past Breaches:
Starbucks Corporation:
According to the Seattle Post Intelligencer article;
This incident occurred prior to the establishment of The Breach Blog.
Date Reported:11/22/08
Organization:
Starbucks Corporation
Contractor/Consultant/Branch:
None
Location:
Seattle, Washington*
*Starbucks headquarters. The incident took place at an "unspecified location"
Victims:
"partners" (employees)
Number Affected:
"approximately 97,000"
Types of Data:
"private information (including name, address and social security number)"
Breach Description:
"Starbucks Corp. confirmed Monday that a laptop containing private information on 97,000 employees was stolen Oct. 29."
Reference URL:
starbucks gossip
KING-TV News
Seattle Post Intelligencer
KOMO News
Report Credit:
starbucks gossip
Response:
From the online sources cited above:
Starbucks Corp. confirmed Monday that a laptop containing private information on 97,000 employees was stolen Oct. 29.
The information included names, addresses and Social Security numbers, according to an undated memo addressed to affected employees.
[Evan] Obvious questions include why is sensitive information permitted on mobile devices (such as laptops, PDAs, flash drives, etc.) and why aren't mobile devices encrypted? This isn't some kind of new way to lose control of sensitive information.
Because Starbucks takes out commitment to safeguarding the personal information and security of our partners very seriously, we are writing to inform you of a recent incident that may have involved a breach of your private information (including name, address and social security number).
Starbucks Enterprise Security learned that a laptop containing partner information was stolen on October 29, 2008.[Evan] There is no mention of how or where this laptop was stolen. Should we assume it was stolen from an employee’s car (which seems almost semi-standard)?
The private information of approximately 97,000 US Partners, including yours, was stored on this laptop.
A police report was filed with the Seattle Police Department.
At present, we have no indication that the private information has been misused.[Evan] Nor would anyone expect an indication of misuse so soon. It hasn't even been a month.
Starbucks has partnered with Equifax to offer, at no cost to you, credit watch services for the next year.
When these incidents occur, we take the opportunity to once again review our procedures for protecting data and educate our partners about ways to further protect their personal information.[Evan] It shouldn't only be when these incidents occur that we take the opportunity to review policy, procedures and compliance. Formal reviews should be conducted on a regular basis (semi-annually, annually, bi-annually, etc.), as should risk assessments. It is hard to believe that laptop security (or insecurity) would have been missed in a formal risk assessment. Does Starbucks conduct regular risk assessments as part of a larger risk management program? If so, can we assume that mobile device security (or insecurity) was addressed? Let's make another assumption and say that Starbucks does conduct regular risk assessments AND laptop security (or insecurity) was addressed. What was the management decision? Ignore the risk? Accept the risk? Many assumptions, but hopefully you get the point I am trying to make.
We also continue our work to prevent future incidents from occurring.
In fact, we are currently implementing encryption solutions where appropriate.[Evan] I wonder where it has been deemed appropriate.
Again, while we have no evidence that your personal information has been misused or compromised, we believe it is important that you are fully informed of the potential risks associated with this incident.
Starbucks regrets any inconvenience this situation may cause.
If you have any questions, please contact the Starbucks Partner Contact Center.
Commentary:
It seems like it has been a while since we read about a lost/stolen laptop.
If laptops are permitted at your organization, and you believe that there is a chance that they might be used to store sensitive (personal, financial, medical, non-public business, etc.) information, it might be a good idea to inform the people responsible for information security within your organization and ask questions. In my opinion, good information security professionals would appreciate it, if for nothing else but assurance that the user community is involved.
Past Breaches:
Starbucks Corporation:
According to the Seattle Post Intelligencer article;
"This isn't the first time a Starbucks laptop has gone missing. In November 2006, the company said it was unable to find four out-of-use laptops at its headquarters.
They contained the names, addresses and Social Security numbers of 50,000 former and 10,000 then-current employees. The Seattle-based company waited two months to disclose the problem while an internal investigation was completed to try to find the computers."
This incident occurred prior to the establishment of The Breach Blog.
Posts Atom 1.0
Comments