Innodata Isogen employee data stolen from car
Technorati Tag: Security Breach
Date Reported:
1/5/09
Organization:
Innodata Isogen, Inc.
Contractor/Consultant/Branch:
None
Location:
Hackensack, New Jersey
Victims:
"current and certain former Innodata Isogen employees"
Number Affected:
"as many as 141"
Types of Data:
"personal information, such as Social Security number, date of birth and home address"
Breach Description:
"On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with benefit plan enrollment sheets, and some of her personal information, was stolen.
Reference URL:
Maryland Attorney General breach notification
Report Credit:
Maryland Attorney General
Response:
From the online source cited above:
Innodata Isogen, Inc. (Innodata Isogen), experienced a data breach when an Innodata Isogen laptop and other Innodata Isogen information was stolen.
It appears that as many as 141 individuals could have been affected
Innodata Isogen plans to begin notifying the affected individuals in the next several days.
On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with 15 benefit plan enrollment sheets, and some of her personal information, was stolen.
[Evan] This incident concerns sensitive information stored electronically on a poorly secured laptop AND information found on paper. It is not common to read about a single breach involving multiple forms of information.
The laptop, which was password-protected, contained personal information, such as Social Security number, date of birth, and home address of current and certain former Innodata Isogen employees.
[Evan] Who is buying into the concept that operating system password-protection provides adequate access control? The fact that organizations even mention it is frustrating to me. It seems misleading in some respects. People know that an operating system password (in most cases) can be bypassed in a matter of seconds, right?
The benefit plan enrollment sheets contained similar information in respect to certain Innodata Isogen employees.
[Evan] No password needed to access this information, eh?
Immediately upon discovering the theft, the employee filed an incident report with the Wayne Police Department, and reported the theft to the General Counsel at Innodata Isogen.
To date, none of these items have been recovered by authorities.
The Company is not aware of any improper access or use of the personal information contained on the stolen items.
[Evan] And we wouldn't expect the company to be aware of any improper access at this point. How would Innodata know if data was improperly accessed on a stolen laptop?
Innodata Isogen has taken numerous steps to protect the security of personal information of the affected individuals, including providing a full package of credit protection services.
[Evan] Let's hope that this is just a misuse of words and not a misunderstanding of information security. Any steps taken by Innodata to "protect the security of personal information" on the laptop (and on the benefit enrollment sheets) is fruitless. They no longer have any control over this information, and thus they cannot do anything to protect against unauthorized disclosure.
Also, in addition to continuing to monitor the situation, Innodata Isogen is reexamining it [sic] current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches.
[Evan] This should be a included in the ongoing management of every good information security program everywhere, regardless of a breach.
While we believe that there is little likelihood your information will be misused as a result of this incident, as a precaution we have arranged for First Advantage Corporation to provide you with 12 months of credit monitoring and related services at no cost to you.
[Evan] There is little likelihood? How does Innodata come to this conclusion? IF someone were to misuse the information, Innodata would be hard pressed (in this incident) to make it any easier.
We are committed to treating sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] I agree that Innodata probably is proactive in many respects, but in regards to this incident, I see very little evidence of proactive information security. Encrypting the laptop would be proactive. Prohibiting written sensitive information to be brought home would be proactive. Training and keeping employees aware of good information security practices is proactive. Writing a breach notification claiming to be proactive is NOT proactive.
We apologize sincerely for any inconvenience of discomfort this incident may cause you
Commentary:
According to Innodata Isogen's Corporate Fact Sheet; "Innodata Isogen helps many of the world's leading media, publishing and information services firms create and manage content more efficiently and economically." Efficiency and economy are good things, but security is equally (and in some cases) more important.
To be fair, this is one incident at a fairly large organization (~5,000 employees). One incident does not give us anywhere near enough information to conclude anything about Innodata Isogen's information security across the enterprise. However, we DO know that this incident was the result of following some very poor information security practices.
Past Breaches:
Unknown
Date Reported:1/5/09
Organization:
Innodata Isogen, Inc.
Contractor/Consultant/Branch:
None
Location:
Hackensack, New Jersey
Victims:
"current and certain former Innodata Isogen employees"
Number Affected:
"as many as 141"
Types of Data:
"personal information, such as Social Security number, date of birth and home address"
Breach Description:
"On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with benefit plan enrollment sheets, and some of her personal information, was stolen.
Reference URL:
Maryland Attorney General breach notification
Report Credit:
Maryland Attorney General
Response:
From the online source cited above:
Innodata Isogen, Inc. (Innodata Isogen), experienced a data breach when an Innodata Isogen laptop and other Innodata Isogen information was stolen.
It appears that as many as 141 individuals could have been affected
Innodata Isogen plans to begin notifying the affected individuals in the next several days.
On December 23, 2008, an Innodata Isogen employee's car was broken into in New Jersey and her laptop case with the laptop inside, along with 15 benefit plan enrollment sheets, and some of her personal information, was stolen.
[Evan] This incident concerns sensitive information stored electronically on a poorly secured laptop AND information found on paper. It is not common to read about a single breach involving multiple forms of information.
The laptop, which was password-protected, contained personal information, such as Social Security number, date of birth, and home address of current and certain former Innodata Isogen employees.
[Evan] Who is buying into the concept that operating system password-protection provides adequate access control? The fact that organizations even mention it is frustrating to me. It seems misleading in some respects. People know that an operating system password (in most cases) can be bypassed in a matter of seconds, right?
The benefit plan enrollment sheets contained similar information in respect to certain Innodata Isogen employees.
[Evan] No password needed to access this information, eh?
Immediately upon discovering the theft, the employee filed an incident report with the Wayne Police Department, and reported the theft to the General Counsel at Innodata Isogen.
To date, none of these items have been recovered by authorities.
The Company is not aware of any improper access or use of the personal information contained on the stolen items.
[Evan] And we wouldn't expect the company to be aware of any improper access at this point. How would Innodata know if data was improperly accessed on a stolen laptop?
Innodata Isogen has taken numerous steps to protect the security of personal information of the affected individuals, including providing a full package of credit protection services.
[Evan] Let's hope that this is just a misuse of words and not a misunderstanding of information security. Any steps taken by Innodata to "protect the security of personal information" on the laptop (and on the benefit enrollment sheets) is fruitless. They no longer have any control over this information, and thus they cannot do anything to protect against unauthorized disclosure.
Also, in addition to continuing to monitor the situation, Innodata Isogen is reexamining it [sic] current data privacy and security policies and procedures to find ways of reducing the risk of future data breaches.
[Evan] This should be a included in the ongoing management of every good information security program everywhere, regardless of a breach.
While we believe that there is little likelihood your information will be misused as a result of this incident, as a precaution we have arranged for First Advantage Corporation to provide you with 12 months of credit monitoring and related services at no cost to you.
[Evan] There is little likelihood? How does Innodata come to this conclusion? IF someone were to misuse the information, Innodata would be hard pressed (in this incident) to make it any easier.
We are committed to treating sensitive employee information in a confidential manner and are proactive in the careful handling of such information.
[Evan] I agree that Innodata probably is proactive in many respects, but in regards to this incident, I see very little evidence of proactive information security. Encrypting the laptop would be proactive. Prohibiting written sensitive information to be brought home would be proactive. Training and keeping employees aware of good information security practices is proactive. Writing a breach notification claiming to be proactive is NOT proactive.
We apologize sincerely for any inconvenience of discomfort this incident may cause you
Commentary:
According to Innodata Isogen's Corporate Fact Sheet; "Innodata Isogen helps many of the world's leading media, publishing and information services firms create and manage content more efficiently and economically." Efficiency and economy are good things, but security is equally (and in some cases) more important.
To be fair, this is one incident at a fairly large organization (~5,000 employees). One incident does not give us anywhere near enough information to conclude anything about Innodata Isogen's information security across the enterprise. However, we DO know that this incident was the result of following some very poor information security practices.
Past Breaches:
Unknown
Posts Atom 1.0
Comments