http://securityratty.com/tag/glaxo Fri, 13 Jun 2008 09:10:18 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/58e91758aa8878262c367e27cb3e449c http://securityratty.com/article/58e91758aa8878262c367e27cb3e449c Security Breach

Date Reported:
6/10/08

Organization:
GlaxoSmithKline

Contractor/Consultant/Branch:
None

Victims:
Employees

Number Affected:
"more than 500"

Types of Data:
"names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts"

Breach Description:
"GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site."

Reference URL:
North West Evening Mail
Fleetwood Weekly News

Report Credit:
North West Evening Mail

Response:
From the online sources cited above:

GLAXO workers fear they will fall victim to fraudsters after their personal details were sent to all staff at the Ulverston site.

The emails contained information such as names, dates of birth, addresses, pensions, National Insurance numbers and, in some cases, redundancy payouts, of more than 500 employees.
[Evan] Have you ever received or sent an email to an entire group of people on accident?  It is embarrassing.  Add to fact that 500+ of your co-workers were just put at risk of identity theft, and now how do you feel.  Chances are greater if you use mail client programs that automatically guess the recipient after only typing a few letters.  I wonder if this email was sent by a person or programmatically.

A reliable source, who wishes to remain anonymous, says GSK staff from across south and west Cumbria are up in arms.

They fear the information has been sent out to all 110,000 employees in the UK and US.
[Evan] Glaxo officials claim that this was not the case.

And some feel they could become victims of identity theft by cash-strapped workers facing redundancy.

The mails sent out all with attachments on the intranet

When they were opened up they gave details of all 540 or so workers. It had such details as their names, address, position and if they had put in for redundancy what figures they could expect.
[Evan] Wow!  The redunancy (or severance) payout information adds a twist to this breach.  Not only can the personal information be used for identity theft, but a person getting a larger payout can be targeted specifically.  Bad.

For instance one of the bosses is getting £200,000 redundancy and then a £40,000 a year pension.
[Evan] That's a helluva payout.  That's almost $400,000 and $80,000 US.

A few days after this happened a letter saying sorry was sent out to all employees.
[Evan] "Sorry" reminds me of what my children say to me when they do something they shouldn't have done. 

GSK has apologised to staff, saying it regrets the incident and has made steps to make sure the breach is never repeated.
[Evan] How will GSK ensure that this breach is never repeated?

The firm claims only Ulverston workers had access to the information.

Ulverston site director Richard Pamenter say in the letter to Glaxo employees, obtained by The Evening Mail:

"I wanted to make sure you were made aware that information has been inadvertently released on both the GSK e-mail and intranet systems, which if used inappropriately, could permit access to certain personal information for staff.

"If any of these documents are used inappropriately, this could allow access to information on individuals’ date of birth, job grade, National Insurance number and home address.

"Additionally, for some staff, information on pensions, quotes and redundancy payments could be accessed. We have removed the information source from the intranet and are currently progressing the removal of documents and relevant attachments from the company email.

"We very much regret this incident has occurred and I would like to apologise unreservedly for any embarrassment or inconvenience caused."

Commentary:
This breach was not widely covered in the press and the information we know is very limited.  I'm going to presume that this breach was the result of an employee mistake.

Past Breaches:
Unknown

]]> Fri, 13 Jun 2008 09:10:18 +0000 information personal information details employees personal details staff fear glaxo workers fear gsk staff Severance and personal details of GlaxoSmithKline employees exposed