American Airlines parent company reports breach involving stolen hard drive
|
Date Reported:
7/2/10
Organization:
AMR Corporation
Contractor/Consultant/Branch:
American Airlines
Location:
Victims:
"retirees, former employees, and a limited number of current employees”
Number Affected:
"approximately 79,000"
Types of Data:
"names, addresses, dates of birth, Social Security numbers, and possibly other personal information, as well as a limited amount of bank account information"
Breach Description:
"CHICAGO, July 2 (Reuters) - AMR Corp (AMR.N), parent of American Airlines, on Friday said a hard drive containing personal information on 79,000 retirees, former employees, and current employees has been stolen from the company's pension department."
Reference URL:
PR Newswire
Reuters
CBS11TV.com
Report Credit:
AMR Corporation via news outlets
Response:
From the online sources cited above:
Today, AMR Corporation (NYSE: AMR), the parent company of American Airlines, Inc., sent letters to potentially affected retirees, former employees, and a limited number of current employees about a compromise of certain personal information.
The data, which had been kept by AMR's pension department, spans a time period from 1960 through 1995, and consists of images of historical microfilm files for approximately 79,000 retirees, former employees, and a limited number of current employees.
[Evan] Why does the company need to keep detailed personal information that dates back as much as 50 years?!
No customer data was compromised.
AMR officials discovered and reported the theft of a hard drive at AMR headquarters in Fort Worth, Texas, on June 4, 2010.
[Evan] The news reports don't tell us if this was a removable hard drive (USB), or a hard drive that was removed from a computer. We also don't know much about the physical security protections that were in place to prevent the theft. Removable hard drives should be encrypted, as should hard drives that are removed and placed in storage. Encryption is a mitigating control for physical security vulnerabilities.
The drive contained images of historical microfilm files, which included names, addresses, dates of birth, Social Security numbers, and possibly other personal information, as well as a limited amount of bank account information.
[Evan] That is a lot of detailed personal information! I wonder how many of the affected people knew that AMR still had this information.
For some affected individuals, health insurance information (primarily enrollment forms, but also some coverage-related care, treatment, and other administrative materials) may also have been included.
[Evan] But wait, there's more!
AMR does not believe the health and welfare information contained on the drive is subject to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), considering the age of the files and other factors.
[Evan] Huh? The age of the information does not exempt coverage from HIPAA. If the information qualifies as protected health information (PHI), and the people are alive, then it applies. What do you suppose are the "other factors"?
However, AMR is committed to HIPAA compliance, and will continue to take measures to secure the confidentiality of all health and welfare information that it maintains.
[Evan] AMR should be committed to adequately managing the risks of unauthorized sensitive information disclosure, modification, and destruction. HIPAA compliance is only a piece of the puzzle.
AMR has issued letters to retirees and employees whose files were affected, notifying them of the steps AMR has taken to correct the issue and what cautionary steps individuals may wish to take, including a one-year credit monitoring service offered at no cost by AMR.
AMR also believes some of the employee files also contained limited information concerning beneficiaries, dependents, and other employees during the 1960-1995 timeframe.
[Evan] And yet, there's more!
AMR has already implemented additional protective measures because of this incident, including additional physical security, access control, and computer system vulnerability assessments. The internal investigation is ongoing.
For additional information and steps individuals may take to protect themselves, AMR has established a frequently asked questions website at www.amrfaq.com.
Commentary:
This is a good breach (as are many others) to use as an example to support the fact that information security is NOT an IT issue. Information security is a business issue that must account for physical, administrative, and technical risks.
When I write on the Breach Blog, I am often critical in my assessment of the breach given the limited number of publicly available details surrounding the breach. The motivation for being critical is not so much to disparage the company who reports the breach, but more so to educate. In fairness to AMR, there are a number of controls in place to prevent, detect, and respond to information security incidents. It is likely that they employ a talented team of individuals to manage it all too. I feel like being nice ;).
Past Breaches:
Unknown
Posted by Evan Francen at 7/5/2010 2:12 PM 
Categories: Stolen Media, AMR Corporation, American Airlines
Categories: Stolen Media, AMR Corporation, American Airlines
Posts Atom 1.0
Comments