Laptop stolen in Quantum office break in affects employee records
|
Date Reported:
6/17/10
Organization:
Quantum Corporation
Contractor/Consultant/Branch:
None
Location:
Victims:
"certain Quantum employees"
Number Affected:
Undisclosed
Types of Data:
"sensitive personal information, including names, addresses, and Social Security numbers"
Breach Description:
On June 13th, 2010 Quantum's Bellevue, Washington offices were broken into and laptops were stolen. One of the stolen laptops contained sensitive employee personal information, and the laptop was not encrypted.
Reference URL:
New Hampshire State Attorney General
Report Credit:
Quantum Corporation via the New Hampshire State Attorney General
Response:
From the online source cited above:
We are writing to inform you of a theft of laptops from the Company's Bellevue, Washington offices.
The information contained on one of these laptops included sensitive personal information (SPI) of certain Quantum employees
[Evan] If there is a possibility that a mobile device may contain sensitive information, you had better take steps to mitigate risks.
We do not have any evidence that, beyond this theft, this data has been further access, used or disclosed by the laptops have not been recovered.
On the evening of Sunday, June 13, there was a break in at the building in Bellevue, Washington that Quantum partially occupies.
The break in was discovered the following day, June 14, by the property manager.
[Evan] What?! The break in was not discovered until the next day? Don't forget that information security is not an IT issue, it is a business issue! Effective information security requires the right mix of administrative, physical, and technical controls. It's very disappointing that the Quantum offices were not protected by an alarm system (at a minimum).
We believe that all of the building's tenants were affected, but the Quantum property stolen included mainly electronic equipment, including some laptops taken from the IT work room.
Although the laptop containing SPI continues to retain password protection, the theft occurred before the encryption software could be reinstalled.
[Evan] Reinstalled? Why would someone uninstall laptop encryption software to begin with? I'm confused (not unusual).
The nature of the crime suggests that data was not the target but rather technology equipment, including: monitors cables and video conferencing equipment.
Quantum is working diligently with in-house and outside resources to evaluate our physical and data security processes.
Quantum is also reviewing IT repair work processes in order to help prevent this type of incident from occurring again.
[Evan] Quantum needs to review more than IT repair work processes.
On June 17 Quantum notified all impacted employees
Quantum has set up a credit monitoring service for a term of one [1] year to be provided at no cost to all impacted persons.
[Evan] Great! If only Social Security numbers expired every year.
Quantum values your privacy and the security of your personal information and has processes and procedures in place to protect it through our Privacy Management Program and Written Information Security Program.
Quantum deeply regrets that this incident occurred, is working with the appropriate law enforcement agencies to investigate the break-in, and will notify you of any significant futher developments that impact you.
Commentary:
I can understand human error and simple oversight, but I have trouble coming to terms with a breach notification that is written with so many statements that are meant to minimize the importance of a breach. Quantum made plenty of minimizing statements, but failed to address the causes of the incident. Preventative and detective physical security controls were insufficient, as were preventative technical controls. Physical security controls should be consistently applied across all sites and at no time should sensitive data be unencrypted on mobile devices. Frustrating.
Ironically, from Quantum's Data Security and Encryption page, we read:
"Since 2005 there have been more than 260 million individual records lost, with many of these records containing sensitive business data or individuals’ personal identification information. That’s why many nations have established legislation requiring businesses to take extra steps in protecting individuals’ data. And as more areas adopt this type of legislation, you’ll need to consider implementing a smart strategy such as data encryption technology from Quantum."
Past Breaches:
Unknown
Posts Atom 1.0
Comments