Unknown number of employees affected by stolen HP laptop
Technorati Tag: Security Breach
Date Reported:
12/3/08
Organization:
Hewlett-Packard ("HP")*
*"the world’s largest technology company", Source: recent HP News release
Contractor/Consultant/Branch:
Unknown
Location:
Houston, Texas area**
**HP headquarters are located in Palo Alto.
Victims:
Current and former HP employees
Number Affected:
Unknown, "approximately 626 Maryland residents" are known to be affected.
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
Hewlett-Packard has reported the theft of a laptop computer containing sensitive personal information to the Maryland Attorney General's office. The laptop contained information belonging to current and former employees who were at one time participants in the HP benefits program.
Reference URL:
Maryland Attorney General breach notification (including the notification letter sent to victims)
PogoWasRight
Report Credit:
The Maryland State Attorney General's office with a special thanks to Dissent over at PogoWasRight.
Response:
From the online sources cited above:
[Evan] I rarely make comments at the beginning of the Response section, but I want to point some things out at the start. Hopefully, you take the chance to read the reference URLs listed above as I do. As you do, see if you get the same feelings I do. I get the feeling that HP has been very careful in choosing their words in the notification. Let's dig in.
we are writing to inform you of the theft of a laptop computer containing certain personal information about some participants in HP benefits programs
Although there is no evidence to suggest that the information on the laptop has been misused, HP has been working closely with law enforcement authorities to recover the laptop, which was stolen several months ago.
[Evan] So far, this is another classic stolen laptop breach. Shame. What exactly is "several months ago"? Here's my take. I am the owner of my information. I hope we can agree on that. The organizations who use or access my information in any way are custodians (they need to take care of it). They are required to use my information in a manner that I approve of. They are also required to disclose to me how they collect my information; how they store my information, how they transfer my information, how they destroy my information, and how they lose/lost control of my information (such would be the case in this breach, if I were a victim). Is this too much to ask? Obviously Utopian, but being told that my information was "stolen several months ago" would not be good enough for me. I want to know exactly when, where, and how my information was compromised. My information not yours. This is an important information security concept here.
We have been working to fully establish the specific information contained on the laptop and, at this time, names and Social Security numbers of some current and former employees have been identified.
We are working with law enforcement authorities to recover the stolen laptop.
At this time, we are aware of approximately 626 Maryland residents who may be affected by this incident.
[Evan] I don't know if this is any indication of the total number of people affected. We don't have enough information to extrapolate with any accuracy.
We are continuing to investigate what information was contained on the laptop and, to the extent further notification is required, we will notify affected residents and provide you with an update.
We are taking steps to help ensure that this type of incident does not happen in the future.
[Evan] Like what? Give the people at least one "step".
We regret that this incident may affect you.
We take our obligation to safeguard personal information very seriously and, therefore, we are alerting you so you can take steps to help protect yourself from possible identity theft.
The laptop was secured by user name and password, and we have no evidence indicating that any of the information has been accessed or misused.
[Evan] Puhleez! Are there people who still believe that a user name and password (likely OS) are adequate controls for sensitive information on a laptop?
To further assist you, we are offering you the opportunity to enroll in credit monitoring, which we have arranged to provide at no charge to you for up to two years.
[Evan] This is the one statement that seems to differ from the norm. Two years is longer than the semi-standard one, which is semi-better than none. Credit monitoring is primarily a detective control. It is not a preventative control. This means that it will not prevent identity theft, it will only alert you after it has already occurred. If given the choice of an effective preventative control versus an effective detective one, I would choose preventative any day. A appropriate mixture of controls is ideal. This is another important information security concept.
If you require additional information you may contact the Hewlett-Packard Privacy Office by sending an email message to or by calling .
Again, we regret any inconvenience this may cause you and will continue to pursue this matter to help prevent this type of incident from occurring in the future.
Commentary:
My displeasure is not directed at HP per se. My displeasure is directed at the incident and response. I am troubled with the fact that sensitive information was permitted to be stored on a laptop and I am troubled with the fact that the information on the laptop was not well protected.
More Interesting Reading:
The text of Hewlett-Packard's Chief Privacy Officer's testimony before the Subcommittee on Commerce, Trade and Consumer Protection; Committee on Energy and Commerce of the United States House of Representatives on June 20, 2006. Read it here;
Hewlett-Packard's "Your laptop got stolen, now what?" article is interesting and highlights the following "Tips for secure mobility":
The only tip outlined in the tips, which addresses protection against unauthorized disclosure of information is the encryption tip. The others are primarily meant to address the availability of information. It is very important to place balanced (based on risks) emphasis on the protection of Confidentiality, Integrity, and Availability (C.I.A., seen this before?) of sensitive information.
One last thing to leave you with. This post is meant to educate and offer opinions about this ONE breach, and is not meant as a reflection of HP's information security practices. As an outsider I am fairly confident that HP's practices are much above par, and it is unfair (and flawed logic) for me to use this singular incident as a yardstick to measure HP's information security practices in general.
Past Breaches:
August, 2007 - Hewlett-Packard Director Lost Laptop, 1425 Affected
Date Reported:12/3/08
Organization:
Hewlett-Packard ("HP")*
*"the world’s largest technology company", Source: recent HP News release
Contractor/Consultant/Branch:
Unknown
Location:
Houston, Texas area**
**HP headquarters are located in Palo Alto.
Victims:
Current and former HP employees
Number Affected:
Unknown, "approximately 626 Maryland residents" are known to be affected.
Types of Data:
Personal information including names and Social Security numbers
Breach Description:
Hewlett-Packard has reported the theft of a laptop computer containing sensitive personal information to the Maryland Attorney General's office. The laptop contained information belonging to current and former employees who were at one time participants in the HP benefits program.
Reference URL:
Maryland Attorney General breach notification (including the notification letter sent to victims)
PogoWasRight
Report Credit:
The Maryland State Attorney General's office with a special thanks to Dissent over at PogoWasRight.
Response:
From the online sources cited above:
[Evan] I rarely make comments at the beginning of the Response section, but I want to point some things out at the start. Hopefully, you take the chance to read the reference URLs listed above as I do. As you do, see if you get the same feelings I do. I get the feeling that HP has been very careful in choosing their words in the notification. Let's dig in.
we are writing to inform you of the theft of a laptop computer containing certain personal information about some participants in HP benefits programs
Although there is no evidence to suggest that the information on the laptop has been misused, HP has been working closely with law enforcement authorities to recover the laptop, which was stolen several months ago.
[Evan] So far, this is another classic stolen laptop breach. Shame. What exactly is "several months ago"? Here's my take. I am the owner of my information. I hope we can agree on that. The organizations who use or access my information in any way are custodians (they need to take care of it). They are required to use my information in a manner that I approve of. They are also required to disclose to me how they collect my information; how they store my information, how they transfer my information, how they destroy my information, and how they lose/lost control of my information (such would be the case in this breach, if I were a victim). Is this too much to ask? Obviously Utopian, but being told that my information was "stolen several months ago" would not be good enough for me. I want to know exactly when, where, and how my information was compromised. My information not yours. This is an important information security concept here.
We have been working to fully establish the specific information contained on the laptop and, at this time, names and Social Security numbers of some current and former employees have been identified.
We are working with law enforcement authorities to recover the stolen laptop.
At this time, we are aware of approximately 626 Maryland residents who may be affected by this incident.
[Evan] I don't know if this is any indication of the total number of people affected. We don't have enough information to extrapolate with any accuracy.
We are continuing to investigate what information was contained on the laptop and, to the extent further notification is required, we will notify affected residents and provide you with an update.
We are taking steps to help ensure that this type of incident does not happen in the future.
[Evan] Like what? Give the people at least one "step".
We regret that this incident may affect you.
We take our obligation to safeguard personal information very seriously and, therefore, we are alerting you so you can take steps to help protect yourself from possible identity theft.
The laptop was secured by user name and password, and we have no evidence indicating that any of the information has been accessed or misused.
[Evan] Puhleez! Are there people who still believe that a user name and password (likely OS) are adequate controls for sensitive information on a laptop?
To further assist you, we are offering you the opportunity to enroll in credit monitoring, which we have arranged to provide at no charge to you for up to two years.
[Evan] This is the one statement that seems to differ from the norm. Two years is longer than the semi-standard one, which is semi-better than none. Credit monitoring is primarily a detective control. It is not a preventative control. This means that it will not prevent identity theft, it will only alert you after it has already occurred. If given the choice of an effective preventative control versus an effective detective one, I would choose preventative any day. A appropriate mixture of controls is ideal. This is another important information security concept.
If you require additional information you may contact the Hewlett-Packard Privacy Office by sending an email message to or by calling .
Again, we regret any inconvenience this may cause you and will continue to pursue this matter to help prevent this type of incident from occurring in the future.
Commentary:
My displeasure is not directed at HP per se. My displeasure is directed at the incident and response. I am troubled with the fact that sensitive information was permitted to be stored on a laptop and I am troubled with the fact that the information on the laptop was not well protected.
More Interesting Reading:
The text of Hewlett-Packard's Chief Privacy Officer's testimony before the Subcommittee on Commerce, Trade and Consumer Protection; Committee on Energy and Commerce of the United States House of Representatives on June 20, 2006. Read it here;
Hewlett-Packard's "Your laptop got stolen, now what?" article is interesting and highlights the following "Tips for secure mobility":
- Do not leave your laptop unguarded, ever. Better safe than sorry.
- Backup your data frequently. This allows you to minimize the impact of your loss and reduce the downtime.
- Encrypt sensitive data or even your entire hard drive. This minimizes confidentiality issues.
- Carry a spare external drive with a copy of your laptop drive. This will allow you to ramp-up quickly after your loss and allow you for access to all your files from a temporary computer. It also protects you from hardware failures.
- Use a smartphone-type mobile phone that allows for synchronization of calendar and contact information, and possibly to send and receive email as well. This gives you a way to stay in touch and keep going while you deal with your notebook loss.
- Subscribe to a hardware tracking service. This helps find the thieves and retrieve your assets.
The only tip outlined in the tips, which addresses protection against unauthorized disclosure of information is the encryption tip. The others are primarily meant to address the availability of information. It is very important to place balanced (based on risks) emphasis on the protection of Confidentiality, Integrity, and Availability (C.I.A., seen this before?) of sensitive information.
One last thing to leave you with. This post is meant to educate and offer opinions about this ONE breach, and is not meant as a reflection of HP's information security practices. As an outsider I am fairly confident that HP's practices are much above par, and it is unfair (and flawed logic) for me to use this singular incident as a yardstick to measure HP's information security practices in general.
Past Breaches:
August, 2007 - Hewlett-Packard Director Lost Laptop, 1425 Affected
Posts Atom 1.0
As I reported here, there is more to this story that raised my eyebrows. From their spokesperson's email to me:
"When the laptop of an HP employee based in the Houston area was stolen,
several months ago, HP Security and local law enforcement were notified
immediately and proper HR procedures were followed. The laptop was initially
believed to contain no sensitive personal data. During a more recent
assessment of back-up files, it was discovered that the laptop did contain
certain personal information about some participants in HP benefits programs."
My comment: if you have a laptop stolen and are reviewing backup tapes, I would hope that they would be thoroughly reviewed. So how is it that HP could not tell the Maryland AG what kinds of PII were on the stolen laptop?
Their spokesperson also wrote to me:
"In terms of the number of employees affected, HP does not have exact numbers;"
My comment: how do you not know how many people had data on the laptop if you backup regularly and have the backup tapes?
The spokesperson also wrote: "...however, the HP Security & Privacy groups have indicated that at least several thousand employee records were contained in the laptop. "
If HP can notify Maryland that approximately 626 residents had data on the laptop, I am nonplussed that they cannot state how many people had data on the laptop and refer the media to HP Security and Privacy Groups to get a sense of how big the breach was.
Hopefully, this is an anomaly in their security, but it did strike me as not their finest hour.
Reply to this
Ah. I missed the spokesperson's email.
You are using logic here. Are you sure logic is appropriate?
Great questions.
I think HP CAN answer what kinds of PII were on the stolen laptop and I also think HP CAN answer how many people were affected in totality. In my opinion, HP has chosen not to answer these questions in the hopes that nobody will notice and this event will go away.
626 people in Maryland were affected (according to the notification) and it is estimated that only 1.8% of the total US population lives in Maryland (according to the U.S. Census Bureau). Does this give us any clues? We don't know what percentage of HP employees are Maryland residents, but we do know that HP's headquarters are in California. We don't know is this breach affects global employees or only U.S.-based employees. We just don't know much, so we speculate. Speculation in this case is a result of poor communication.
Reply to this
Forgot to mention: the incident was in the Houston area, based on their corporate statement to PogoWasRight.org
And thanks for your kind words about the site. I spend so much time finding/reporting news that I don't have as much time to write commentaries, so I really value your insight and comments on breaches.
Reply to this
Houston. Good information. I will update the location in the post.
When I think of PogoWasRight, I really do think of the word pioneer. True or not, it's what comes to mind.
It is cool to think that people who have never met each other (in person) can work together towards similar goals. We each bring our own unique experiences and strengths in what we do.
The sites and people I have come to appreciate over the past couple of years are many. This gives me hope.
Reply to this