Technorati Tag: Security Breach
Date Reported:
5/9/08
Organization:
Sodexo
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*There are 919 Maryland residents reported by the company
Types of Data:
Names and Social Security numbers
Breach Description:
Sodexo recently reported a information security breach affecting company employees. A letter was sent reporting "the recent theft of a Sodexo-owned laptop computer that may have contained a file with personal employee information."
Reference URL:
The Maryland State Attorney General breach notification (pdf)
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
We are writing to inform you, pursuant to the provisions of Maryland Statutes Section 12-3504(h), of an incident involving possible unauthorized access to personal information relating to 919 employees of Sodexo who reside in Maryland.
[Evan] Sodexo employs 342,000 people worldwide. That a lot of people. This breach only affected a subset of employees, but imagine how big a problem there is if storing confidential information on an unencrypted laptop is an acceptable practice.
We are sending letters today to these employees to notify them of the theft of a Sodexo-owned laptop computer from the automobile of an employee of Sodexo in Montgomery County.
[Evan] An equation for you math types. Laptop + confidential information + automobile - encryption - employee presence = unacceptable risk of breach. It seems to be an equation that holds true more often than not.
This laptop may have contained an electronic file with the names and Social Security numbers of these employees.
[Evan] May have or may not have contained the sensitive file. I do give Sodexo credit for following the high road and disclosing the breach. This one seems like it would be pretty easy to "sweep under the rug."
The file did not contain date of birth, home address, or other personal identification or personal financial information.
The computer was password-protected.
[Evan] Big deal.
There is a risk, however, that a dedicated and computer savvy thief could circumvent this protection and gain access to files on the computer.
[Evan] It really doesn't take much dedication OR skill.
We have not uncovered any indication that the information was the target of the theft or that the information has been accessed or misused.
The incident was reported to the Montgomery County Policy Department and is under investigation.
We have not been able to confirm definitively that this file was on the laptop.
We are sending a separate letter today concerning this incident to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis
We are sorry that this has happened.
[Evan] I like the word "sorry" here. Most breach notifications use "regret" and "apologize", but sometimes I like the simple "sorry".
We take very seriously the information security of all of our employees, clients and customers.
We continually enhance and update our information protection and security protocols.
We are committed to ensuring that we have the procedures and processes in place to prevent this from happening again.
[Evan] I hope that Sodexo shares what procedures and processes they end up using. I can think of a few that might help.
We have established a toll free hot line, 1-877-749-3300, for you to contact with questions related to this incidence.
Commentary:
Here. I am going to take the exact same commentary section from the last breach I that I just wrote about.
"Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better."
Almost like a broken record. Sodexo did not mention if any of the circumstances that led to this breach were violations of corporate policy.
Past Breaches:
Unknown
Date Reported: 5/9/08
Organization:
Sodexo
Contractor/Consultant/Branch:
None
Victims:
Employees
Number Affected:
Unknown*
*There are 919 Maryland residents reported by the company
Types of Data:
Names and Social Security numbers
Breach Description:
Sodexo recently reported a information security breach affecting company employees. A letter was sent reporting "the recent theft of a Sodexo-owned laptop computer that may have contained a file with personal employee information."
Reference URL:
The Maryland State Attorney General breach notification (pdf)
Report Credit:
The Maryland State Attorney General
Response:
From the online source cited above:
We are writing to inform you, pursuant to the provisions of Maryland Statutes Section 12-3504(h), of an incident involving possible unauthorized access to personal information relating to 919 employees of Sodexo who reside in Maryland.
[Evan] Sodexo employs 342,000 people worldwide. That a lot of people. This breach only affected a subset of employees, but imagine how big a problem there is if storing confidential information on an unencrypted laptop is an acceptable practice.
We are sending letters today to these employees to notify them of the theft of a Sodexo-owned laptop computer from the automobile of an employee of Sodexo in Montgomery County.
[Evan] An equation for you math types. Laptop + confidential information + automobile - encryption - employee presence = unacceptable risk of breach. It seems to be an equation that holds true more often than not.
This laptop may have contained an electronic file with the names and Social Security numbers of these employees.
[Evan] May have or may not have contained the sensitive file. I do give Sodexo credit for following the high road and disclosing the breach. This one seems like it would be pretty easy to "sweep under the rug."
The file did not contain date of birth, home address, or other personal identification or personal financial information.
The computer was password-protected.
[Evan] Big deal.
There is a risk, however, that a dedicated and computer savvy thief could circumvent this protection and gain access to files on the computer.
[Evan] It really doesn't take much dedication OR skill.
We have not uncovered any indication that the information was the target of the theft or that the information has been accessed or misused.
The incident was reported to the Montgomery County Policy Department and is under investigation.
We have not been able to confirm definitively that this file was on the laptop.
We are sending a separate letter today concerning this incident to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis
We are sorry that this has happened.
[Evan] I like the word "sorry" here. Most breach notifications use "regret" and "apologize", but sometimes I like the simple "sorry".
We take very seriously the information security of all of our employees, clients and customers.
We continually enhance and update our information protection and security protocols.
We are committed to ensuring that we have the procedures and processes in place to prevent this from happening again.
[Evan] I hope that Sodexo shares what procedures and processes they end up using. I can think of a few that might help.
We have established a toll free hot line, 1-877-749-3300, for you to contact with questions related to this incidence.
Commentary:
Here. I am going to take the exact same commentary section from the last breach I that I just wrote about.
"Breaches resulting from a lost or stolen laptop computer containing confidential information without encryption are NOT breaking news. These are reported regularly. So what would be the excuse? It's hard to claim that you didn't know any better."
Almost like a broken record. Sodexo did not mention if any of the circumstances that led to this breach were violations of corporate policy.
Past Breaches:
Unknown
