By October 25, 2011

Another Identity Breach Due to Carelessness

I worked for a company in the DC area several years ago. In order to save time and work from home, a woman from HR copied a database of employee information to her work laptop without authorization and against company policy. She went to Applebee’s and her laptop was stolen out of her car. Nothing ever came out of that breach, but I was given two years of credit monitoring by my employer.

Fast forward five years, and some knucklehead has done it again.

I received a letter yesterday that my previous employer in Virginia suffered a similar incident. An employee affiliated with my former employer sent information about me and an undisclosed number of past and present employees to their personal email account. The information was not encrypted and contained our full names, social security numbers, address, date of birth, and “work related” information. I assume salary information; my former employer insists it does not contain health or bank account information.

The incident happened in September of this year, and no one has any reason to believe that the information was intercepted or abused in anyway.

What I really want is the name, social security number, address, and date of birth of the idiot who did this. Instead I got another two years of credit monitoring. Small comfort.

While I’m glad I know about the breach, here are some thoughts on the matter:

  1. Why did almost seven weeks pass before I was notified? Maybe they didn’t find out until last week or so, but that wasn’t spelled out in the letter I received.
  2. Who is liable in the event that my information is misused? My former employer or the toolbag who thought it was okay to email our information out in plaintext?
  3. People spend a lot of time worrying about their identities being stolen online. However, most people use the same username and password on multiple accounts. Most also use easy to remember (and usually easy to guess or crack) passwords that they never change. Some of my friends are reluctant to give out even their year of birth online, afraid that disclosure of such information will lead to identity theft. I appreciate their caution.

    Why isn’t there more concern about what happens in meatspace? One of my credit cards was compromised this year by someone who wrote down the digits or cloned the card at a physical location. This is the second time someone has been careless with my human resources file, who knows how many other keystone kop-style incidents have happened that I don’t know about? I know a lot about data encryption, online communication encryption, Web site data handling procedures, and user credential management. But why don’t people pay more attention to the knuckle-dragging, brute force equivalent of emailing sensitive information?

No tags for this post.
Posted in: gibberish

4 Comments on "Another Identity Breach Due to Carelessness"

Trackback | Comments RSS Feed

  1. Cymwyd says:

    The weakest security link in the system is the person in the chair. No security or procedure or tool is going to prevent a person from doing bad things, from ignorance, incompetence, or malicious intent.

    I’d say take precautions beyond “the usual” but we simply can’t protect all our data, sometimes because we don’t even know who had which pieces of our data…or when some jerk is going to email a file home so they can watch the game while finishing up work.

  2. Jenner says:

    I was burglarized earlier this year. They did it in such a manner to make it hard to tell anyone had been there. That gave them time, their best friend. Just about everything that could be compromised was, scary thing it came in waves. Initially my bank accounts got drained via my debit card, that was my first clue that something was going on. THey moved on to my credit cards. The bank gave me my money and the credit card companies credited the fraudulent charges. Then weeks went by and suddenly my checks started showing up. They had taken checks out of the middle of the pads. So far credit monitoring has turned up a credit application at a car dealership in my name and a cable TV account. They had my name, address, phone number, employer, my paycheck stubs with my salary. I got burned. But that’s all background to my real question, does homeowner’s insurance cover losses, even if the crime started as a home burglary? At what point does the line cross to cyber crime? If they steal your own personal laptop the value of the laptop is covered, but is your intangible loss covered? Enquiring minds want to know 🙂

  3. Brice says:

    I don’t believe there is any liability for the company or the employee in question. It’s one of the major flaws in our current system.

  4. Joseph says:

    I think you’d be surprised how careless people in HR and Payroll are about who and what has their data. You know this, we’ve seen it first hand, I’ve had a company that handled very sensitive data (think bank account numbers of VERY high profile people, SSNs of their spouses, etc.) and while we took great care to protect the data, there were def. more things we could have done.

    We have to get away from the SSN being a person identifier, it wasn’t designed to be what it is today. I hate the idea of the government having a national id system, but something has to be done….