http://securityratty.com/tag/chipotle Sat, 26 Apr 2008 18:39:08 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/d1a2ed55b9f05cd298be720ce8bff786 http://securityratty.com/article/d1a2ed55b9f05cd298be720ce8bff786 Security Breach

Date Reported:
4/15/08 (this incident is also the cause of Stolen USinternetworking laptop affects hundreds of SPX employees AND Stolen USinternetworking laptop also affects XL employees)

Organization:
Chipotle Mexican Grill

Contractor/Consultant/Branch:
USinternetworking ("USi")*

*From the USinternetworking "About Us" page:
Founded in 1998, USinternetworking, Inc. (USi), an AT&T company, is the most experienced Application Service Provider (ASP). We use a highly automated, efficient, systematic approach to deliver managed hosting, application management, remote management, professional services, SaaS enablement, and eBusiness development and hosting to more than 150 enterprise-level organizations in over 30 countries.

Victims:
Current and former Chipotle employees

Number Affected:
Unknown

Types of Data:
"name, address, Social Security number, and payroll information"

Breach Description:
"USi, a service company that was doing information technology work for Chipotle to support human resources and payroll, has notified Chipotle that on or about March 23, 2008, a USi employee residing in Columbus, Ohio was the victim of a burglary, during which a laptop computer, containing Chipotle information, was stolen."

Reference URL:
New Hampshire State Attorney General breach notification part 1
New Hampshire State Attorney General breach notification part 2

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

USi, a service company that was doing information technology work for Chipotle to support human resources and payroll, has notified Chipotle that on or about March 23, 2008, a USi employee residing in Columbus, Ohio was the victim of a burglary, during which a laptop computer, containing Chipotle information, was stolen.
[Evan] USi was storing confidential information obtained from at least three different companies on a single, poorly protected laptop computer.  Sad, but true.

Unfortunately, USi informs us that some information, including name, address, Social Security number, and payroll information for Chipotle employees and former employees was contained on the stolen laptop.
[Evan] "Unfortunately"?  Is the cause of this breach attributed more to fortune than it is to poor information security management?  I don't fortune has all that much to do with it.

USi has reported the theft to Ohio law enforcement authorities and believes the theft was a random act.

At this time, we have no evidence that this information has been misused, and USi indicates that the laptop was password protected.
[Evan] This statement (or very similar) appears in each of the three breach notifications that I have read about this incident.  You could almost copy and paste it, eh?  It is probably too early for any evidence of misuse (a smart fraudster would wait until the identity theft protection runs out, or would sell the information to someone else).  Password protection (likely operating system) is little more than no protection.  An operating system password would not suffice as adequate protection for most information security professionals.

we want to make you aware of the incident and the steps that have been taken to prevent a reoccurence
[Evan] USi also made this (or similar) statement in each of the breach notifications, but there were never any "steps" listed anywhere

access to Continuous Credit Monitoring and Enhanced Identity Theft Restoration at no cost to you for 2 years.

If you have questions or feel you may have an identity theft issue, please call ID TheftSmart member services at 1-800-588-9839 between 8:00 a.m. and 5:00 p.m. (Central Time), Monday through Friday

Chipotle sincerely regrets this unfortunate incident and is currently taking steps to ensure that its privacy policies are strictly followed to avoid similar issues.
[Evan] Chipotle, its employees, its investors, and its customers would all benefit from information security improvement, including (but certainly not limited to) vendor/contractor information security policies and mandatory standards, enforcement of the policies and standards, and periodic auditing of vendor compliance with the policies and standards.  Information security is necessary at all phases of vendor relationships (need definition, negotiation, contractual language, etc.) just as it is at all phases of software development.

Commentary:
Well, I wonder if this is the last company affected by this single stolen USi laptop.

Past Breaches:
Chipotle:
Unknown
USinternetworking:
April, 2008 - Stolen USinternetworking laptop also affects XL employees
April, 2008 - Stolen USinternetworking laptop affects hundreds of SPX employees

]]> Sat, 26 Apr 2008 18:39:08 +0000 information information security confidential information usi information security improvement chipotle information security policies chipotle information evan Chipotle Mexican Grill employee information on USi stolen laptop