http://securityratty.com/tag/centocor Tue, 29 Jan 2008 08:08:47 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/d0443c7844bc4096a8b34f900750e688 http://securityratty.com/article/d0443c7844bc4096a8b34f900750e688 Security Breach

Date Reported:
1/29/08

Organization:
Johnson and Johnson

Contractor/Consultant/Branch:
Centocor, Inc.*
Unnamed IT Vendor

*Centocor, Inc. is a wholly owned subsidiary of Johnson & Johnson, a worldwide manufacturer of healthcare products.

Victims:
People participating in National Faculty and Rounds on the Road Speakers programs

Number Affected:
Unknown

Types of Data:
Name, home of business city and state, and Social Security number/Tax Identification Number

Breach Description:
Several computers are missing from Centocor facilities in Horsham, Pennsylvania, of which one contained sensitive personal information belonging to speaker-consultants engaged by Centocor for the National Faculty and Rounds on the Road speakers programs.  Centocor was notified by their IT vendor of the missing computers in early October, 2007, and was provided additional details on November 29th, 2007.

Reference URL:
New Hampshire Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

I am writing to inform you about a recent security incident affecting a number of
speaker-consultants engaged by Centocor, Inc.

a number of computers cannot be accounted for at Centocor's Horsham campus and are believed to have been stolen.

Centocor was initially notified by its IT vendor of the incident in early October 2007 and was provided specific details On Nov. 29, 2007.
[Evan] The letter to the New Hampshire Attorney General is dated January 2nd, 2008. This equates to 34 days between the time Centocor knew about the "specific details" and the time of notification.  The unnamed IT vendor took more than a month to conduct their investigation.  This is longer than I would have expected on both accounts.  I wonder if this slowness is attributed to Centocor, the IT vendor or law enforcement.

Based on the subsequent investigation conducted by Centocor, one of the missing computers likely contained a file which included the name, city/state and social security/tax identification numbers of a number of people engaged by Centocor

one of the laptops likely contained a file with information that was intended for management of our National Faculty and Rounds on the Road Speakers program
[Evan] Why purpose does storing this file on a unsecure laptop serve?

Based on our investigation, Centocor believes that a former, contracted employee of the vendor removed the computers from our facilities
[Evan] It's good to know that they have a suspect in the theft.

Centocor reported this event to local law enforcement and they are currently investigating with full cooperation from Centocor and the vendor.

Centocor does not have any evidence that your infonnation has been misused, and
we believe that the likelihood of such misuse is low.
[Evan] I think the likelihood is higher than it would be in the case most "run of the mill" laptop thefts.  In this case, the suspect is a contracted employee of the IT vendor which implies that this person may have IT skills.

we have arranged for a credit-monitoring product at no cost to you, which also includes unlimited access to your credit report
[Evan] Centocor has arranged for 1 year of credit monitoring with ConsumerInfo.com.  Permanent information protected with one year of monitoring doesn't do much to reduce the risk to the affected individual.  Monitoring is after the fact, and one year is 365 days.

Centocor is committed to working with the local law enforcement to try and recover the missing assets and your information
[Evan] It is important to remember that information is not like most physical assets.  Once information confidentiality has been compromised, you can't "recover" it.  You can't disclose a secret and then make it secret again.  Nonsense.

Commentary:
I know for a fact that Johnson & Johnson runs a well-respected information security program, but even the well-respected companies experience breaches.  I don't know too much about Centocor, and for all I know they may be an independently run IT organization.

Questions:
Why was this information on the laptop to begin with?
Why are Centocor laptops not encrypted?

Past Breaches:
September, 2007 - 68,767 Patients Affected by McKesson Stolen Computers

]]> Tue, 29 Jan 2008 08:08:47 +0000 centocor information evan centocor evan time centocor centocor facilities facilities centocor laptops laptops Stolen laptop contained Centocor speaker-consultant information