Technorati Tag: Security Breach
Date Reported:
6/13/08
Organization:
CNET Networks, Inc. ("CNET")
Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")
Victims:
"current and former employees and their dependants"
Number Affected:
"around 6,500"
Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"
Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."
Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight
Report Credit:
The Maryland State Attorney General
Response:
From the online sources cited above:
On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.
Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.
The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598
Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.
The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.
Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.
report number 08-12367
In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.
The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.
some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.
We do not have any understanding that the computers stored personal health information.
Our client is providing written notification to all affected individuals at the last home address we have on record
Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.
Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.
Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.
Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.
We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!
Colt Express is looking into what additional steps may be taken to provide enhanced security.
By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?
Towards the end of last year, our customer base was reduced to an unsustainable level.
Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.
http://www.colthr.com/
Those decisions are now final.
We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.
We sincerely apologize for the inconvenience and concern this incident will cause.
Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.
This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).
Past Breaches:
Unknown
Date Reported: 6/13/08
Organization:
CNET Networks, Inc. ("CNET")
Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")
Victims:
"current and former employees and their dependants"
Number Affected:
"around 6,500"
Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"
Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."
Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight
Report Credit:
The Maryland State Attorney General
Response:
From the online sources cited above:
On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.
Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.
The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598
Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.
The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.
Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.
report number 08-12367
In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.
The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.
some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.
We do not have any understanding that the computers stored personal health information.
Our client is providing written notification to all affected individuals at the last home address we have on record
Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.
Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.
Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.
Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.
We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!
Colt Express is looking into what additional steps may be taken to provide enhanced security.
By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?
Towards the end of last year, our customer base was reduced to an unsustainable level.
Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.
http://www.colthr.com/
Those decisions are now final.
We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.
We sincerely apologize for the inconvenience and concern this incident will cause.
Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.
This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).
Past Breaches:
Unknown
