Benefits Concepts' employees at risk of ID theft after FedEx package goes missing
|
Date Reported:
9/3/10
Organization:
Benefits Concepts, Inc.
Contractor/Consultant/Branch:
CompuPay
FedEx
Location:
Believed to be Warwick, Rhode Island
Victims:
Benefits Concepts employees
Number Affected:
Undisclosed
Types of Data:
"first/last names, social security numbers and bank account numbers"
Breach Description:
Benefits Concepts, Inc. has notified the New Hampshire Attorney General of a security breach concerning confidential personal information belonging to Benefits Concepts' employees. "A FedEx Express ("FedEx") package containing BC employee payroll checks, along with an electronic copy of the checks on a CD, was lost in transit."
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
New Hampshire Attorney General
Response:
From the online source cited above:
We are writing on behalf of Benefits Concepts, Inc. ("BC") to notify you of a data security incident.
[Evan] The letter to the New Hampshire Attorney General was actually written by their outside legal counsel.
A FedEx Express ("FedEx") package containing BC employee payroll checks, along with an electronic copy of the checks on a CD, was lost in transit.
The payroll information on the checks included employee's first/last names, social security numbers and bank account numbers.
The package was shipped by BC's vendor, Compupay, on July 19, 2010, and was scheduled to be delivered on July 20, 2010.
[Evan] Did anyone at BC and/or CompuPay stop to think that shipping confidential information via FedEx in this way was not a good idea? Did BC know that CompuPay was sending information this way or did they assume something different? Does CompuPay ship all confidential customer information this way? BC should have taken a more active role in the management of risks associated with vendor relationships, and CompuPay should wake up. Due to the nature of these two companies, people should expect much better information handling/security.
Despite a recently concluded extensive search and investigation by FedEx, the package has not been located.
FedEx believes the package went missing at its station in Warwick, RI.
BC has no reason to believe the package was targeted for theft of that any of the information in the package has been used improperly and there have been no attempts to cash any of the checks.
[Evan] Hardly a good assurance that bad things won't happen later. If you lose information, you can only hope that it becomes destroyed or becomes found by someone with good intentions.
It appears the package was simply lost.
Notification is being sent to the affected individual in the form attached hereto.
As a precaution, BC is offering one year of free credit monitoring to the affected individuals.
[Evan] One year of free credit monitoring would be good if people's Social Security numbers expired after one year, but they don't. We have read about people demanding lifetime credit monitoring more and more lately. How long do you think it will be before somebody legislates a lifetime credit protection requirement? Oh boy.
BC regrets this unfortunate incident and is taking the necessary and appropriate steps to prevent this type of incident from occurring in the future.
Going forward, BC has required its payroll vendor to mask the social security numbers and banking information on its payroll checks and to encrypt any accompanying CD.
[Evan] Seems good. Proactive information security would have been much cheaper.
BC is continually evaluating and modifying its practices, and the practices of its vendors, in order to enhance the security and privacy of its employee's information.
[Evan] Is this only true now and in the future, or was this always true? If BC claims that this has always been true, then how did they miss the risks involved with the way CompuPay was transferring sensitive information?
Commentary:
In the letter to the affected employees, BC states, "In an abundance of caution, we are providing you with a free one year membership in Triple Alert …" I have to point this out because I abhor the "abundance of caution" remarks. Treat information with an "abundance of caution" before a breach occurs.
I found it interesting that BC has numerous SAS70 reports on file. A SAS70 does not ensure that information is created, collected, transferred, processed, destroyed, or used securely, but some people are under the impression that is does. A SAS70 is statement of how well an organization is meeting its control objectives, but says little about whether or not your control objectives are correct. Just thought I would throw this in. A SAS70 is not and should not be used to accurately assess your information security program for risk.
Past Breaches:
Unknown
Posts Atom 1.0
Comments