Laptop is stolen during Inovis merger with GXS, results in breach
|
Date Reported:
6/15/10
Organization:
GXS
Contractor/Consultant/Branch:
Inovis
Location:
Undisclosed
Victims:
Inovis employees
Number Affected:
Undisclosed*
*It is estimated that there were approximately 600 Inovis employees prior to the merger with GXS; however it is not known how many employees are affected by this breach. Source:
Types of Data:
"names, addresses, SSNs, and salary data"
Breach Description:
"Based on Inovis's investigation to date, it has determined that a laptop in the possession of an employee of GXS (a company that is currently in the process of merging with Inovis) was stolen on or about May 4, 2010, and GXS notified Inovis on May 21, 2010. The laptop contained databases including personal information" belonging to Inovis employees
Reference URL:
New Hampshire State Attorney General
Report Credit:
Inovis via the New Hampshire State Attorney General
Response:
From the online source cited above:
Letter to Inovis employees:
At Inovis, we care about the privacy and security of our employee data.
As you know, we have been engaged in completing a merger with GXS, and as part of that merger we have provided certain information regarding Inovis to GXS.
[Evan] Mergers present unique risks to the security of information. We (FRSecure ) have first-hand experience in helping companies manage these risks.
We were notified on Friday May 21, 2010 that a GXS employee's laptop was stolen which contained Inovis U.S. employee personal information.
[Evan] Nowhere is there any mention of encryption, so we will assume that this laptop was not encrypted. How do you justify storing sensitive personal information on a laptop (or other mobile device) without encryption? It's hard to claim that you didn't know any better.
Our investigation indicates that the information included names, addresses, SSNs, and salary data.
We have procedures in place at Inovis that would have prevented such an event, but we are reviewing our procedures to ensure that they are still viable and sufficient.
[Evan] What? If you have procedures in place that would have prevented such and event, then why didn't your procedures actually prevent this event? Maybe they do have preventative procedures, but they weren't being followed, or maybe they have procedures that are in fact insufficient.
We have also received assurances from GXS that they are taking action to ensure that a similar incident does not occur in the future.
[Evan] Like, I don't know… encryption?
This matter has been reported to law enforcement by GXS and an investigation is pending.
[Evan] Be careful what gets reported to law enforcement. Once law enforcement accepts responsibility, the company could lose control of the investigation and/or response.
Based on our investigation to date, we are unaware of any misuse of the information that may have been wrongfully and unlawfully obtained.
In addition, based on the investigation so far, we believe that the likelihood of improper use of this data is low.
[Evan] How does Inovis come to this conclusion? I wonder what the supporting facts are.
Nevertheless, in an abundance of caution, we encourage you to be proactive to help avoid the breach of your identity.
[Evan] Ugh. I really dislike the use of the term "in an abundance of caution". An abundance of caution would have prevented the breach.
You should review the following information on steps that you should take immediately.
In addition, you should review the document titled "What you should know" at the web address (http://sharepoint/Department/HR/Benefits/Documents/What%20you%20should%20knowdoc.pdf ), as it contains resource information and contact numbers that might be helpful to you in preventing Identity Fraud from occurring.
[Evan] Should the internal resource cited in this letter have been redacted before sending to a public agency (New Hampshire Attorney General)?
Commentary:
I have to admit, the number of breaches resulting from the theft or loss of an unencrypted laptop seems to have diminished over the years. Many organizations have taken the time to address this risk, which makes the companies that haven't stand out that much more.
Past Breaches:
Unknown
Posts Atom 1.0
Comments