Former Occidental Petroleum employees notified of mistaken email
Technorati Tag: Security Breach
Date Reported:
1/6/09
Organization:
Occidental Petroleum Corporation ("Occidental")
Contractor/Consultant/Branch:
None
Location:
Tulsa, Oklahome
Victims:
Former employees
Number Affected:
Unknown
Types of Data:
"names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers"
Breach Description:
"On December 11, 2008, Occidental discovered that a former employee has emailed to a personal email account a spreadsheet listing former Occidental employee's names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers"
Reference URL:
Vermont Attorney General breach notification
Report Credit:
The Vermont Attorney General
Response:
From the online source cited above:
On December 11, 2008, Occidental discovered that a former employee had emailed to a personal email account a spreadsheet listing former Occidental employees' names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers.
[Evan] Every company for which I have consulted or worked for has allowed the practice of sending company email to personal email accounts. Not all of them allowed it explicitly, but they all allowed it nonetheless. Most of the time, the biggest users of personal email accounts were management. It's a convenient (albeit risky) method for transferring information for work to continue from a remote location. Once the risk has been communicated and secure alternatives suggested, most companies chose to employ controls to stop the practice.
Occidental immediately retained our firm to assist it with respect to the incident.
[Evan] The firm which Occidental retained is GableGotwals. Contacting legal counsel was the first thing that Occidental did in response to this breach? What is the first action in your incident response plan?
On December 12, 2008, we contacted the Secret Service and the United States Attorney office in Tulsa, Oklahoma, where the incident occurred.
[Evan] Why contact the Secret Service and US Attorney's Office? This doesn't seem like a criminal matter. I am no lawyer, but this seems more like a civil matter.
On December 15, 2008, a lawsuit was filed against the former Occidental employee to demand the return of the information that was improperly taken.
[Evan] Show me a lawyer who doesn't like a lawsuit. I dare you.
At an injunction hearing on December 23, 2008, the former employee testified that the information was mistakenly obtained and has not been misused.
The court entered an order directing the return of the information and granting Occidental access to the former employee's computer and email account to ensure the information was removed.
We are presently conducting a forensic analysis of the computer and email account to confirm the facts.
We additionally have sworn testimony from the former employee that the information was not used or disclosed.
At this point Occidental has no reason to believe that the information has been used or disclosed by the former employee.
However, in an abundance of caution, we are informing you about this incident so that you may properly evaluate what actions you wish to take in this matter.
[Evan] Ugh, there is the "abundance of caution" reference! This appears in too many breach notifications. I would say notifying people that their information has been compromised is much less than an abundance of caution. It's the right thing to do.
In addition, we understand that you may have questions. Please feel free to contact us at our toll-free number () if you have additional questions or concerns.
Please accept our sincerest apologies, and be assured that Occidental has always taken and will continue to take great measures to protect the personal information of all current and former employees.
[Evan] How will Occidental prevent a similar occurrence? What controls (if any) will they employ to prevent employees from sending sensitive information to their personal email accounts?
In particular, Occidental employees with access to personal information must sign confidentiality agreements and agree not to disclose personal information.
[Evan] Prospective employees should be given legal counsel too in order to advise them on whether or not they should sign the confidentiality agreement. LOL. Not likely.
Occidental is offering 12 months of credit monitoring
Commentary:
I appreciate the fact that Occidental responded to this breach and has issued a notification. This breach could have been swept under the rug, but Occidental management has better moral judgment.
As I stated earlier in this post, most companies I have worked with allow the use of personal email. Additionally, most of these companies fail to control the type of information leaked through this use. Without control, there is nothing to prevent the potential exposure of an endless amount of sensitive information. Personal email accounts (Hotmail, Gmail, Yahoo, etc.) should never be considered safe places to store sensitive information. I won't even mention the risk involved in sending email in clear-text.
On a side note, I am hearing rumors of something big coming out this week in terms of a very significant breach (millions affected?). There is nothing public yet, and many of the rumors are still unsubstantiated. I mention it here because the rumors are a little louder than usual. Stay tuned.
Past Breaches:
Unknown
Date Reported:1/6/09
Organization:
Occidental Petroleum Corporation ("Occidental")
Contractor/Consultant/Branch:
None
Location:
Tulsa, Oklahome
Victims:
Former employees
Number Affected:
Unknown
Types of Data:
"names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers"
Breach Description:
"On December 11, 2008, Occidental discovered that a former employee has emailed to a personal email account a spreadsheet listing former Occidental employee's names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers"
Reference URL:
Vermont Attorney General breach notification
Report Credit:
The Vermont Attorney General
Response:
From the online source cited above:
On December 11, 2008, Occidental discovered that a former employee had emailed to a personal email account a spreadsheet listing former Occidental employees' names, addresses, birthdates, employee identification numbers, starting dates, retirement dates, and social security numbers.
[Evan] Every company for which I have consulted or worked for has allowed the practice of sending company email to personal email accounts. Not all of them allowed it explicitly, but they all allowed it nonetheless. Most of the time, the biggest users of personal email accounts were management. It's a convenient (albeit risky) method for transferring information for work to continue from a remote location. Once the risk has been communicated and secure alternatives suggested, most companies chose to employ controls to stop the practice.
Occidental immediately retained our firm to assist it with respect to the incident.
[Evan] The firm which Occidental retained is GableGotwals. Contacting legal counsel was the first thing that Occidental did in response to this breach? What is the first action in your incident response plan?
On December 12, 2008, we contacted the Secret Service and the United States Attorney office in Tulsa, Oklahoma, where the incident occurred.
[Evan] Why contact the Secret Service and US Attorney's Office? This doesn't seem like a criminal matter. I am no lawyer, but this seems more like a civil matter.
On December 15, 2008, a lawsuit was filed against the former Occidental employee to demand the return of the information that was improperly taken.
[Evan] Show me a lawyer who doesn't like a lawsuit. I dare you.
At an injunction hearing on December 23, 2008, the former employee testified that the information was mistakenly obtained and has not been misused.
The court entered an order directing the return of the information and granting Occidental access to the former employee's computer and email account to ensure the information was removed.
We are presently conducting a forensic analysis of the computer and email account to confirm the facts.
We additionally have sworn testimony from the former employee that the information was not used or disclosed.
At this point Occidental has no reason to believe that the information has been used or disclosed by the former employee.
However, in an abundance of caution, we are informing you about this incident so that you may properly evaluate what actions you wish to take in this matter.
[Evan] Ugh, there is the "abundance of caution" reference! This appears in too many breach notifications. I would say notifying people that their information has been compromised is much less than an abundance of caution. It's the right thing to do.
In addition, we understand that you may have questions. Please feel free to contact us at our toll-free number () if you have additional questions or concerns.
Please accept our sincerest apologies, and be assured that Occidental has always taken and will continue to take great measures to protect the personal information of all current and former employees.
[Evan] How will Occidental prevent a similar occurrence? What controls (if any) will they employ to prevent employees from sending sensitive information to their personal email accounts?
In particular, Occidental employees with access to personal information must sign confidentiality agreements and agree not to disclose personal information.
[Evan] Prospective employees should be given legal counsel too in order to advise them on whether or not they should sign the confidentiality agreement. LOL. Not likely.
Occidental is offering 12 months of credit monitoring
Commentary:
I appreciate the fact that Occidental responded to this breach and has issued a notification. This breach could have been swept under the rug, but Occidental management has better moral judgment.
As I stated earlier in this post, most companies I have worked with allow the use of personal email. Additionally, most of these companies fail to control the type of information leaked through this use. Without control, there is nothing to prevent the potential exposure of an endless amount of sensitive information. Personal email accounts (Hotmail, Gmail, Yahoo, etc.) should never be considered safe places to store sensitive information. I won't even mention the risk involved in sending email in clear-text.
On a side note, I am hearing rumors of something big coming out this week in terms of a very significant breach (millions affected?). There is nothing public yet, and many of the rumors are still unsubstantiated. I mention it here because the rumors are a little louder than usual. Stay tuned.
Past Breaches:
Unknown
Posts Atom 1.0
Comments