Employee caught selling Cardinal Health computer on eBay
|
Date Reported:
9/7/10
Organization:
Cardinal Health
Contractor/Consultant/Branch:
None
Location:
Dublin, Ohio and Online (eBay)
Victims:
Current and former employees, and some job applicants
Number Affected:
Undisclosed
Types of Data:
"personal information that included employee number, birth date and social security number"
Breach Description:
Cardinal Health has notified the New Hampshire Attorney General of a breach concerning personal information belonging to certain current and former employees, and job applicants. Cardinal Health became aware of the breach through the sale of one or more of their computers on eBay.
Reference URL:
New Hampshire Attorney General breach notification
Report Credit:
New Hampshire Attorney General
Response:
From the online source cited above:
Pursuant to applicable state law, we write to notify you of a data security event at the Dublin, Ohio facility of Cardinal Health (the "Company").
In mid-June, 2010, a third party notified us that he purchased a laptop on eBay that appeared to have originated from our Company.
[Evan] Uh oh.
We recovered that laptop and conducted an investigation.
We determined that the laptop did not contain any personal information.
We also learned that the laptop recently had been decommissioned from use and replaced with a new one.
Company policy requires that when a computer is decommissioned, the responsible IT employee must erase its data and then arrange for its destruction through our approved vendor.
During our investigation, an IT employee admitted that, rather than arrange for its destruction, he took the laptop in question and sold it on eBay.
[Evan] A few years ago I actually had an employee who reported (past tense) to me that did this very same thing! He was taking decommissioned computers and selling them for his own profit. After a thorough investigation, I confronted him. It amazed me how he justified his behavior as being acceptable.
The IT employee denies taking or selling any other Company computers.
[Evan] This employee has already demonstrated a willingness to break the rules through dishonesty. I would be very skeptical of this denial.
We have since terminated his employment.
[Evan] What other option is there?
Based on this incident, we re-inventoried our computers, including all decommissioned computers.
[Evan] A critical part of information security is asset management. Inventories must be reconciled on a regular basis. I hope that this was the case before this breach, and will be afterward too.
This process revealed by the end of July, 2010, that we could not account for nine (9) laptops and two (2) desktops that had been decommissioned and slated for erasure and destruction.
Because these computers had all been replaced, the Company retained a complete copy of the data on these missing computers.
[Evan] Nice. This is not as common as it should be.
The Company analyzed the data from the missing computers and in late August, 2010, concluded that one of the laptops had been used by an HR employee and contained personal information that included employee number, birth date, and social security number for current and former Company employees, as well as birth dates, and social security numbers for some job applicants.
[Evan] Uh oh. This type of information should not be stored on a laptop, especially one that is not encrypted. Based on the fact that encryption is not mentioned, I will assume that this HR laptop was not encrypted.
At this point, we can only confirm that these computers are missing.
We have no information that the computers have been take from Company premises or otherwise accessed without authorization, and we hope to still locate the missing computers during our further search efforts.
Out of an abundance of caution, however, and given that the IT employee admitted to selling on decommissioned computer on eBay, we have elected to notify the employees and applicants whose personal information was on the one missing HR laptop.
A sample copy of that notice is enclosed and it will be distributed to affected persons on or about the same date as this letter.
The notice explains how to place a fraud alert with the relevant credit reporting agencies, and provides appropriate telephone and e-mail contact information in the event the individual has questions regarding this process or the underlying incident.
Finally, the Company is offering to all affected persons a credit monitoring service from a very reputable vendor for a period of one full year at no cost to the individual.
In addition to providing these services to the affected individuals, we have reviewed our internal procedures concerning decommissioned computers and are making adjustments to address the risk of future theft and loss.
[Evan] One mitigating control to prevent unauthorized access would be the use of encryption. If there is a failure (or oversight) in the data/media destruction practices, proper encryption use should ensure that the data remains safe. We call this defense in depth.
For example, we have restricted access to inventory rooms where computers are stored, and we have installed a surveillance camera in a strategic location to monitor inventory room activity and to act as a deterrent.
We also have revised and improved our decommissioned computer destruction policy, and have instituted mandatory training for all applicable IT employees to reinforce proper disposal practices.
We deeply regret that this incident occurred and we will work hard to quickly address and resolve any further issues.
Commentary:
Overall, I like the organization's response to this incident. They appear to have conducted a thorough investigation, and took the high road in notifying the people affected. What I find alarming is no mention of encryption. Does this organization encrypt data stored on laptops? If not, why not?
I'm not going to address employee risks right now, but I think that this is a good example of what can happen when an employee decides against following (or is ignorant of) policy. Feel free to voice your opinions. ;)
Past Breaches:
Unknown
Posted by Evan Francen at 9/27/2010 2:07 PM 
Categories: Cardinal Health, Stolen Laptop, Employee Fraud
Categories: Cardinal Health, Stolen Laptop, Employee Fraud
Posts Atom 1.0
Comments