Technorati Tag: Security Breach
Date Reported:
5/10/08
Organization:
Park National Corporation
Contractor/Consultant/Branch:
Aon Consulting Inc.
Victims:
"past and present employees"
Number Affected:
~2,000
Types of Data:
"personal information"
Breach Description:
"About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information."
Reference URL:
Columbus Business First
PogoWasRight
Report Credit:
Columbus Business First via PogoWasRight
Response:
From the online sources cited above:
About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information.
[Evan] Do you suppose finger crossing works? I didn't really think of this or include it in my 2008 information security strategic plan.
Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March.
[Evan] One of Aon Consulting's offerings is Enterprise Risk Management ("ERM"). There is no mention of whether or not this lost laptop was encrypted. If it weren't, do you think this is a good demonstration of sound risk management? I posed the question; I'll let you decide the answer.
The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White.
"This was not our breach and we are the victim," she said. "We are absolutely unhappy to be a victim of this and Aon is working to fix this."
[Evan] Hold on a second! I respectfully but completely disagree with Ms. White. There is a misunderstanding or roles. The data owner is the victim. The data custodians are Park National AND Aon. If the information was given to Park National by the victim and not directly to Aon, then this is absolutely a Park National breach. It is the responsibility of organizations to ensure the security of the information they share with their contractors, consultants, vendors, etc. This is accomplished by creating policy that governs information security in these relationships, including information security in contractual language, and periodic audit and compliance assessments.
Aon is providing free credit-monitoring and fraud-protection insurance services from Experian to those who have been affected, according to a letter from Park CEO C. Daniel DeLawder to those affected by the theft.
Commentary:
The reference article is short, but the information still allows for plenty of commentary and speculation. I would be very interested to read the actual notification letter that went out to the victims. It may shed some more light on the subject.
It is troubling that Park National wants to absolve themselves of any responsibility in this breach.
Past Breaches:
Unknown
Date Reported: 5/10/08
Organization:
Park National Corporation
Contractor/Consultant/Branch:
Aon Consulting Inc.
Victims:
"past and present employees"
Number Affected:
~2,000
Types of Data:
"personal information"
Breach Description:
"About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information."
Reference URL:
Columbus Business First
PogoWasRight
Report Credit:
Columbus Business First via PogoWasRight
Response:
From the online sources cited above:
About 2,000 past and present employees of Park National Corp. are keeping their fingers crossed that they don't become identity theft victims after their pension administrator lost a laptop computer containing their personal information.
[Evan] Do you suppose finger crossing works? I didn't really think of this or include it in my 2008 information security strategic plan.
Aon Consulting Inc., which provides administration services for Newark-based Park's pension plan, lost the laptop in March.
[Evan] One of Aon Consulting's offerings is Enterprise Risk Management ("ERM"). There is no mention of whether or not this lost laptop was encrypted. If it weren't, do you think this is a good demonstration of sound risk management? I posed the question; I'll let you decide the answer.
The bank has received no reports that data on the computer has been accessed and used by thieves, said Park spokeswoman Bethany White.
"This was not our breach and we are the victim," she said. "We are absolutely unhappy to be a victim of this and Aon is working to fix this."
[Evan] Hold on a second! I respectfully but completely disagree with Ms. White. There is a misunderstanding or roles. The data owner is the victim. The data custodians are Park National AND Aon. If the information was given to Park National by the victim and not directly to Aon, then this is absolutely a Park National breach. It is the responsibility of organizations to ensure the security of the information they share with their contractors, consultants, vendors, etc. This is accomplished by creating policy that governs information security in these relationships, including information security in contractual language, and periodic audit and compliance assessments.
Aon is providing free credit-monitoring and fraud-protection insurance services from Experian to those who have been affected, according to a letter from Park CEO C. Daniel DeLawder to those affected by the theft.
Commentary:
The reference article is short, but the information still allows for plenty of commentary and speculation. I would be very interested to read the actual notification letter that went out to the victims. It may shed some more light on the subject.
It is troubling that Park National wants to absolve themselves of any responsibility in this breach.
Past Breaches:
Unknown
