Laptop lost during airport layover affects more than 32,000 employee candidates

|

Date Reported:
7/27/10

Organization:
CoreLogic

Contractor/Consultant/Branch:
First Advantage
First Advantage Tax Consulting Services ("TCS")

Location:
An undisclosed airport

Victims:
Job applicants from TCS clients

Number Affected:
32,842

Types of Data:
Personal information including "names and Social Security numbers"

Breach Description:
"Through its lawyers, Indianapolis-based First Advantage Tax Consulting Services (TCS) has notified the New Hampshire Attorney General’s Office that on June 10, a laptop containing sensitive personal information was lost during an airport layover. "

Reference URL:
Office of Inadequate Security
New Hampshire Attorney General breach notification

Report Credit:
Office of Inadequate Security and the New Hampshire Attorney General

Response:
From the online sources cited above:

Reed Smith LLP provides legal counsel to First Advantage Tax Consulting Services ("TCS").

TCS helps employers determine their eligibility for tax credits.

As a necessary step in that process, the employers provide TCS with certain personal information about employee candidates, including names and Social Security Numbers.
[Evan] I wonder if the "employee candidates" are aware of the fact that TCS client companies are sharing their personal information with TCS.  After all, the employee candidate is the owner of the information, not the client company or TCS.

This letter is to inform the Office of the Attorney General that a TCS laptop was lost during an airport layover.
[Evan] Interesting.  Obviously (or maybe not), it is not a good idea to leave a laptop unattended in an airport.  Do you suppose TCS has a policy to prohibit such a practice?

The documents on that laptop contained some information acquired by TCS while providing employer services, including the names and Social Security Numbers of individuals from New Hampshire.

Through its internal investigation, TCS has determined that approximately 32,842 Social Security Numbers were on the laptop.
[Evan] Typically it is not a good idea to store sensitive information on a laptop or other mobile device, whenever possible.  Strike 2.

Upon discovery that the laptop had been lost, TCS took prompt steps to address the loss.

TCS reported the lost laptop to appropriate authorities.

Although the laptop was already protected by a strong, complex password, TCS changed that password remotely.
[Evan] OK.  So what?  Can we assume that the laptop was not encrypted and protected with pre-boot authentication?  An operating system (Windows XP Pro anyway) password can be circumvented in less than 60 seconds.  There is absolutely no need to crack the password which would be the only reason to have a "strong, complex password".  Strike 3.  TCS changing the password remotely is irrelevant, but I am curious to know how they changed a password on a machine that they probably didn't have any access to.

The laptop's ability to access the TCS network was also shut off.
[Evan] This does nothing to protect the data that was stored on the laptop.

To date, the laptop has not been recovered.

TCS has no evidence that the laptop was stolen, nor that the laptop's password has been circumvented, nor that any file on the laptop has been viewed by any unauthorized party, much less one with bad intent.
[Evan] I don't think that the laptop grew legs and just walked away.  How would TCS obtain evidence of password circumvention, local file access, and intent without recovering the laptop?

Out of an abundance of caution, TCS is offering one year of credit monitoring to the individuals notified at no charge.
[Evan] Really?  An "abundance of caution"?  An abundance of caution would have been to protect the information better through preventative measures.

This week, TCS is sending a notice letter to persons from New Hampshire notifying them of the incident.

At Tax Consulting Services we are dedicated to protecting your privacy and truly regret that this incident occurred.
[Evan] Almost as if TCS was the victim.

If you have questions or concerns, please contact .

Commentary:
I took exception to many of the points made in the letter to the New Hampshire Attorney General.  Do people really believe this stuff at face value?

Past Breaches:
Unknown

Posted by Evan Francen at 8/3/2010 11:18 AM
Categories: Lost Laptop, First Advantage, CoreLogic
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)
Page: 1 of 1
  • 8/3/2010 11:50 AM Dissent wrote:
    Okay, you stumped me/trumped me on this one, my friend.

    Where do you see/how did you find out that CoreLogic was the affected organization/client? I don't see that in their lawyer's report to NH AG. What did I miss?
    Reply to this
    1. 8/3/2010 1:06 PM Evan Francen wrote:
      LOL, I don't know about that!  I don't think you missed anything.

      I named CoreLogic as the organization that is ultimately responsible because First Advantage is a wholly-owned subsidiary.
      Reply to this
      1. 8/3/2010 1:58 PM Dissent wrote:
        Aha! I didn't know the relationship there and thought that you were saying that First Advantage lost CoreLogic'a employee data.

        Color me stupid... thanks for clarifying. :)
        Reply to this

Page: 1 of 1
    Leave a comment