Laptop used in background checks stolen from Continental Airlines
Technorati Tag: Security Breach
Date Reported:
1/12/09
Organization:
Continental Airlines, Inc.
Contractor/Consultant/Branch:
None
Location:
Newark, New Jersey
Victims:
Some employees, vendors, and "new hire candidates"
Number Affected:
230
Types of Data:
"name, Social Security number, fingerprint images, date of birth, address and other information"
Breach Description:
"Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office. This laptop was used for certain background checks, and it contained confidential data files on 230 individuals."
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
We are writing to notify you about a recent information security incident.
Continental Airlines is committed to protecting the privacy and security of personal data collected from co-workers, vendors and new hire candidates.
[Evan] How does a commitment translate into action? Most of us are committed, but too few of us act.
Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office.
[Evan] Can we assume that the laptop and/or sensitive data was unencrypted? Can we further assume that the laptop's only access control was the operating system username and password? For the rest of this post, we will make these assumptions because they are likely true, based on past experiences.
The theft was discovered on 01/02/2009.
This laptop was used for certain background checks, and it contained confidential data files on 230 individuals.
Your name, Social Security number, fingerprint images, date of birth, address, and other information may have been on the stolen computer.
[Evan] This is not the kind of information that should be allowed on a poorly secured laptop.
we have no indication at this time that the personal information has been or will be misused.
[Evan] Less than 2 weeks had passed between the time the theft occurred and this statement made. Hardly enough time for Continental to receive word that this information was misused.
We are strengthening our already tight security measures to provide greater protection for the information we maintain in order to minimize future risks.
[Evan] How?
A police report has been filed with the Port Authority police, and Continental's Corporate Security Department is working closely with the law enforcement investigation.
We are doing everything possible to recover the stolen property and to minimize the impact of this unfortunate situation.
[Evan] Who gives a *&%$ about the stolen property (laptop)? Recovery of the laptop does not ensure that the data it contained wasn't accessed, copied and/or used.
We will be sending out written notification through the U.S. mail to affected individuals during the week of January 12th.
Continental Airlines is offering 12 months of Kroll Inc.'s ID TheftSmart service.
Please know that we recognize and understand how important your privacy is.
[Evan] Recognition and understanding are good things, but without action they are nothing more than recognition and understanding.
We are truly sorry that you personal information may have been compromised due to the theft and are currently evaluating steps we can take to prevent any similar occurrence in the future.
Commentary:
I'm fairly sure that Continental Airlines uses quite a few laptop computers and other mobile devices. These technologies can be good for business and improve productivity, but risks must be taken into account. Honestly, I don't know if Continental Airlines mandates encryption of mobile data or not. Maybe this was a laptop that was somehow missed. If Continental Airlines does not mandate and enforce encryption on mobile devices AND there is a significant (i
nterpret) chance that they may access AND/OR store sensitive information, then shame on them.
Past Breaches:
Unknown
Date Reported:1/12/09
Organization:
Continental Airlines, Inc.
Contractor/Consultant/Branch:
None
Location:
Newark, New Jersey
Victims:
Some employees, vendors, and "new hire candidates"
Number Affected:
230
Types of Data:
"name, Social Security number, fingerprint images, date of birth, address and other information"
Breach Description:
"Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office. This laptop was used for certain background checks, and it contained confidential data files on 230 individuals."
Reference URL:
The New Hampshire Attorney General breach notification
Report Credit:
The New Hampshire Attorney General
Response:
From the online source cited above:
We are writing to notify you about a recent information security incident.
Continental Airlines is committed to protecting the privacy and security of personal data collected from co-workers, vendors and new hire candidates.
[Evan] How does a commitment translate into action? Most of us are committed, but too few of us act.
Unfortunately, sometime between December 31 and January 2, 2009, a Continental laptop computer was stolen from a locked Newark office.
[Evan] Can we assume that the laptop and/or sensitive data was unencrypted? Can we further assume that the laptop's only access control was the operating system username and password? For the rest of this post, we will make these assumptions because they are likely true, based on past experiences.
The theft was discovered on 01/02/2009.
This laptop was used for certain background checks, and it contained confidential data files on 230 individuals.
Your name, Social Security number, fingerprint images, date of birth, address, and other information may have been on the stolen computer.
[Evan] This is not the kind of information that should be allowed on a poorly secured laptop.
we have no indication at this time that the personal information has been or will be misused.
[Evan] Less than 2 weeks had passed between the time the theft occurred and this statement made. Hardly enough time for Continental to receive word that this information was misused.
We are strengthening our already tight security measures to provide greater protection for the information we maintain in order to minimize future risks.
[Evan] How?
A police report has been filed with the Port Authority police, and Continental's Corporate Security Department is working closely with the law enforcement investigation.
We are doing everything possible to recover the stolen property and to minimize the impact of this unfortunate situation.
[Evan] Who gives a *&%$ about the stolen property (laptop)? Recovery of the laptop does not ensure that the data it contained wasn't accessed, copied and/or used.
We will be sending out written notification through the U.S. mail to affected individuals during the week of January 12th.
Continental Airlines is offering 12 months of Kroll Inc.'s ID TheftSmart service.
Please know that we recognize and understand how important your privacy is.
[Evan] Recognition and understanding are good things, but without action they are nothing more than recognition and understanding.
We are truly sorry that you personal information may have been compromised due to the theft and are currently evaluating steps we can take to prevent any similar occurrence in the future.
Commentary:
I'm fairly sure that Continental Airlines uses quite a few laptop computers and other mobile devices. These technologies can be good for business and improve productivity, but risks must be taken into account. Honestly, I don't know if Continental Airlines mandates encryption of mobile data or not. Maybe this was a laptop that was somehow missed. If Continental Airlines does not mandate and enforce encryption on mobile devices AND there is a significant (i
Past Breaches:
Unknown
Posts Atom 1.0
Evan, why does so much of this show up in New Hampshire? Is it just well reported or is there an excessive amount of foolishness going on up there?
Reply to this