So.. the great keepers of our personal information can’t even keep their own information on their own servers where it belongs. Incredible.
Equifax Inc., one of the nation’s three major credit bureaus, said Tuesday a company laptop containing employee names and Social Security numbers was stolen from an employee who was traveling by train near London.
The theft, which could affect as many as 2,500 of the Atlanta-based company’s 4,600 employees, happened May 29 and all employees were notified June 7, spokesman David Rubinger said.
Employee names and partial and full Social Security numbers were on the computer’s hard drive, though Rubinger said it would be almost impossible for the thief to decipher the information because it was streamed together.
The employee whose laptop was stolen, who was not identified by the company, has been disciplined for violating company policy, which prohibits storage of company information on a hard drive, Rubinger said. The information is supposed to be stored on the company’s computer server.
How long before the press puts two and two together and draws the following conclusions:
(1) Your personal information is floating around all over the place. Even the people who are supposed to know who has it don’t know.
(2) When a theft occurs, spokesmen are always going to understate the danger to those involved. (Look at this case; the data wasn’t even encrypted!)
(3) For every one of these cases that is discovered, there are many many more that never get reported.
“it would be almost impossible for the thief to decipher the information because it was streamed together”
Does that mean the data was
a) In ROT 13 cipher
b) In plain text without spaces
c) In Spanish
I’ve said it before and I’ll say it again. I want to start class action suits against these goofball companies that let our personal information out.
It finally happened to me with hotels.com. I think we customers have the right to collectively sue.
Why do these companies keep our numbers, anyway? (I’ve I’m a frequents customer, like with Amazon, I don’t mind it. )
But, unless I give my permissionit should be illegal for a company to keep my credit card number after the transaction is complete.
I’ve been pretty lucky so far. At my end, I keep my shredder well fed, and at the other end, I’ve apparently done business with only one company whose security was lax enough to let my credit card info seep through their cracks. But when Equifax can’t be trusted to oversee proper security procedures, it might be time to get a good grip on your ankles.
If you’re looking for ironies, don’t forget that Equifax sells subscriptions to regular credit reports so consumers can check to see if their identity has been misused. Now they need only point to themselves and say “See how often this happens?”
Actually, my wife and I have just about worn out our shredder. The number of instances of corporate stupidity in the area of computer security is mind-boggling.
My honey works for a locally-owned, small town bank. But, between banking regulations and just plain good IT sense, they’ve been fairly successful at preventing identity theft. Since the majority of computer info theft cases involve insiders — she gets advance notice on terminations because the first thing that happens is she yanks them from the network, shuts down their computer, removes all access — and then starts backtracking just to be sure. Two minutes later, they’re told about being terminated.
She’s astounded just about every week when she sees some monster corporation get in trouble because they don’t follow practices considered elemental in banking.
I’m going to have to disagree with these comments and — slightly — side with the company. They company clearly had policy against storing company information on local hard drives. It isn’t an easy thing to enforce. Short of personally searching each computer, how does a company prevent someone like this person from storing files locally?
Eideard: Your wife’s bank has a great policy for soon-to-be-ex-employees, but the same flaw exists. People will always store information locally, especially in the cases like this person who was probably on a business trip. He needed to get some work done but, knowing the internet wont always be available for him to VPN in to the network drives, he saved a copy of his work. Luck had it, it was stolen.
What measures didn’t the company take?
2: I would agree with collectively suing a company, but who committed the crime? Was it the company who made the policy, but didn’t do a good enough job on its impossible task to enforce it? Was it the employee who ignored company policy? Or is it the thief who stole the laptop and — probably has– used the info for ID theft? It isn’t fair for the company get all the blame.
Some silly questions:
Why is an employee of an American Credit Bureau riding around London with a laptop containing this data?
Just exactly how does one pack that much data in a laptop anyways? The VA situation had literally millions of names and identifiers stuffed in a laptop.
And howcumizzit they can’t just put one of those RFID tags on any computer with sensitive data on it so that it rings a bell or something like when the cashier forgets to hit all the right numbers on the cash register like what happens at Wal-Mart?
All these companies are making up lies about all this “PERSONAL” infromation being stolen and our flat out selling information to other collective profit agencies to which funds their lude x rated “blazing saddles” party with CEO’s ,Old Time Money, the heads of this administration, and other administrations collecting yet more information illegally, and flaming the fire with seeing how many times they can use the same old excuse and lies to ruin the middle class,.
This is “TERRORISM” which can only thrive if you give it power.
t.
Anyone else find it funny that the only Vets information that was “stolen” were only those between 50-70? I dont just another way to make an excuse to cheat the Vets out of their underpaid benefits.. It is a shame
“Even so, the company has provided employees free access to its credit monitoring service, and it has encouraged them to put a fraud alert on their credit file.”
Meanwhile the credit bureaus, along with banks and National Association of Retailers are trying to keep consumers from being able to put a credit freeze on their accounts by trying to get Congress to pass a law that would forbid credit freezes, even in states that now allow them.
#5 John, While you make a good point, it is easily refuted because the company allowed access to the information by personal computers. This allows the information to be downloaded onto unsecured laptops and either sold or accidentally stolen or lost. In other words, Equifax’s security methods were ineffective to the point of promoting the loss of personal data.
Equifax, or any company with secure information, should NOT be allowing access to such private information except through controlled access points. Neither the Veterans Affairs incident or this case should have allowed the information to be on personally owned computers.
As Eideard mentioned above, proactive security works. I am quite sure that the Bank’s employees are not allowed to down load all the bank’s data onto personal computers.
>> John Bartkowicz with collectively suing a company, but who committed the crime?
First of all, it is whoever I entrusted my credit card with. I am giving entrusting them with a very valuable piece of pesonal information and they have a responsibility to guard it. In this case, it’s Hotels.com
But I think I should also be able to sue whoever did that actual loss. In my case, Hotels.com it was their accounting firm some jackass outfit called Ernst & Young.
Actually Ernst & Young are a pretty big firm but what the h*ck were they doing putting a quarter million credit card numbers on a laptop!?!?! And then leaving it unattended in a car?!?!
It wasn’t just my credit card number they let out… it was my full name and billing address. Probably everything I filled out when I reserved the hotel.
Check out this quote from top banner of their web site:
Ernst & Young has a strong tradition of contributing to the world’s leading corporations’ understanding of fraud. We know fraud to be a complex and constantly evolving subject that takes many different forms both within and between markets. Companies are still not operating effective anti-fraud policies in emerging markets, according to the 9th Global Fraud Survey from Ernst & Young.
They consult on fraud protection but when it comes to MY SECURITY they are willing to put it on a lap top and leave it in a car!
Even more irritating, these “experts” in fraud waited from February to May in order to inform us that our credit cards numbers and personal information wers stolen. They gave the fraudsters a FOUR MONTH head start on the victims!
Bahhh! I want to sue both Hotels.com and Ernst & Young in a class action suit.
I can think of no legitimate reason for anyone to be taking personal banking/credit information home “to work on”. This will continue until Congress makes it a felony for ANYONE to have such information on a portable device. Ten years in federal prison for the culprit and a $5,000,000 fine to the company ought to go a long way to discouraging the practice.
#1, Actually most bureaus frequently store their information as a fixed-width text record…Mainframe people seem to love that stuff. What’s more, there’s some movement to encrypt databases and such, but movement in that direction is slow and cumbersome. This isn’t just for the credit repositories, but for the resellers, as well as credit customers such as Mortgage Companies. They go through a lot of effort to prevent hackers from getting to their systems from the outside…but do nearly nothing to protect from the internal threats.
Mr. H. Fusion:
I don’t see how my point was easily refuted.
It was not a personal computer. The first sentence in the quote says the laptop was company issued. The data was most likely retrieved while at work on a secured intranet. Now, I do agree that the hard drive should have been encrypted –unless that’s what “streamed together” meant –and that would make Equifax responsible.
Banks do not allow information on personal computers, but if you think a banker never carries a company laptop –say from branch to branch — you are gravely mistaken.
Its the same case: policy says not to keep locally stored copies, but there is no way to prevent it, without losing all functionality. Even when you use some sort of IDE where you “check in” a file to work on it then check it back out to the server, you are still essentially saving a temporary copy of he file.
The only IT solution would be to replace all desktops with thin clients and rid the company of laptops, pdas blackberrys and every other portable storage device (ipods, thumbdrives, floppies). It would be sending the business world’s technology back a generation, but at least we’ll be secure.
#14, I think some solution less extreme than getting rid of laptops and other portable storage devices could probably be found. Implementing thin client or remote desktop functionality doesn’t preclude the use of laptops at all — laptops can run those clients.
There’s no reason full functionality on portable computers can’t still be used for normal applications, but where the data is sensitive enough to enable identity theft, that data really needs to stay on the server, and the IT department can force the issue by only making it available to server apps. I don’t see why it would send the business world’s technology back a generation.
If it’s ever going to happen, they’re going to have to start feeling some real pain from the consequences of data theft. I don’t think they’ve felt enough pain yet. Lawyers are good at inflicting pain 😉