http://securityratty.com/tag/nsk Mon, 11 Feb 2008 08:11:51 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/722bff3a91e4e0118c01d2b709b53c89 http://securityratty.com/article/722bff3a91e4e0118c01d2b709b53c89 Security Breach

Date Reported:
1/25/08

Organization:
NSK Ltd.

Contractor/Consultant/Branch:
NSK Americas, Inc.

Victims:
NSK employees, past employees, and retirees

Number Affected:
~2,000

Types of Data:
Names, Social Security numbers, and salaries

Breach Description:
NSK Americas has reported a breach to the New Hampshire State Attorney General in which a folder containing sensitive personal information was found to be inadequately secured on their internal network.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

NSK Americas, Inc. recently became aware that a computer folder containing employee
data on our internal corporate server was not properly secured

The affected folder included the names, Social Security numbers and salaries of approximately 2,000 current, former and retired employees

The affected folder was on an internal NSK server which was not accessible by non-NSK employees

We immediately secured the affected folder and launched an investigation to detennine the facts.

We promptly retained Kroll On-Track, an industry-leading security consulting firm, to help us. As a part of this investigation and with the assistance of Kroll, we conducted a detailed review of all network logs to determine if the information was inappropriately accessed or downloaded to personal computers.

Based on our investigation, security for this particular folder was likely compromised due to an IT administrative error when information was migrated to a new server in June 2006.

Based on our corporate IT infrastructure, only 360 people out our employee population of 1,600 would have been able to access this document

As of now, we have confirmed that only a few employees gained access to the data file without authorization.

In addition, we are working with Kroll to determine if any other corrective or improved security measures are necessary.

we have also contracted with Kroll ID TheftSmart firm to provide credit monitoring and other related services at no cost to our employees
[Evan] Sounds like Kroll got some good business out of this breach.  I have never worked with Kroll, so I don't know enough to comment.

NSK is committed to never compromising your personal information. We have a zero tolerance privacy policy and do everything we can to make sure your data is protected.

Commentary:
NSK deserves credit for doing the right thing security-wise.  Did they do the right thing business-wise?  How many companies encounter similar circumstances during their day-to-day operations that simply overlook it as a non-incident worthy or reporting?

Based on this response and the retention of outside help, NSK has demonstrated that they are willing to do what it takes to secure personal information.

Past Breaches:
Unknown

]]> Mon, 11 Feb 2008 08:11:51 +0000 nsk americas nsk nsk employees non-nsk employees sensitive personal information personal information breach description breach secure personal information Insecure folder on NSK Americas' internal network