http://securityratty.com/tag/touche Thu, 20 Dec 2007 11:23:09 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss http://securityratty.com/article/fb71334da45d13f8777c9bb4a4f5052f http://securityratty.com/article/fb71334da45d13f8777c9bb4a4f5052f Security Breach

Date Reported:
12/14/07

Organization:
Deloitte & Touche USA LLP

Contractor/Consultant/Branch:
IKON Office Solutions

Victims:
Current and former partners, principals, and employees of Deloitte & Touche and its subsidiaries

Number Affected:
Unknown

Types of Data:
Names, Social Security numbers, dates of birth, "and other information relating to those personnel, such as employee hire and termination dates"

Breach Description:
An un-encrypted laptop was stolen from an IKON Office Solutions employee on November 19th, 2007 that contained sensitive personally identifiable information belonging to current and former Deloitte & Touche partners, principals and employees.  IKON was serving as Deloitte & Touche's document management vendor.

Reference URL:
The New Hampshire State Attorney General breach notification
SC Magazine Story

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

On November 21st, 2007, D&T USA's document management vendor, IKON Office Solutions, Inc. ("IKON"), informed D&T USA that a laptop containing a file with information about current and former partners, principals and employees of D&T USA and its subsidiaries had been stolen from an IKON employee's vehicle two days earlier.

The file included names, Social Security numbers, dates of birth and other information relating to those personnel, such as employee hire and termination dates.

IKON's employee reported the theft to the Walnut Creek, California police department.  The police report number is 07-27609.

So far, the computer has not been recovered.

The laptop was not encrypted, but the laptop was password protected.

We have no information indicating the information has been misused.

we are in the process of notifying all affected individuals through first class mail, postage prepaid.

We have contracted with ConsumerInfo.com, Inc., an Experian company, to provide you with one year of credit monitoring, at no cost to you.

We are committed to protecting all confidential information that is entrusted to us.  Accordingly, we have suspended all work with the vendor on the pension record scanning project until the vendor can demonstrate that it has implemented appropriate data security protections.
[Evan] Its not uncommon for an organization to overlook the information that vendors and other third-parties access and/or store.  Information security controls surrounding vendor access must be addressed in policy, and then followed up standards and controls.  I wonder what Deloitte & Touche's policy is around vendor access to confidential information.

if you have any additional questions about this incident, please call the Personal Service Network (PSN) at +1 800 DELOITT (+1 800 335 6488) and enter 12 to go directly to people who can answer questions about this incident.

Comments on the SC Magazine Story:

What makes Deloitte think that one year of monitoring will be all that is needed for the potential victims. I read where the average victim does not know til well beyond 12 months. - Mike

If "noted security experts" (so called in the article) can't get it right, then we're all in trouble. Laptop drive encryption is extremely easy to implement and manage corporate wide...and has been for years. So, why is this still happening? - Jim

Commentary:
According to the letter to affected individuals, IKON Office Solutions was responsible for scanning pension fund documents.

Although IKON definitely has blame in the cause of this breach, Deloitte & Touche certainly does to.  It seems that Deloitte & Touche makes some attempts to deflect their responsibility.  Deloitte & Touche was given the information in the first place and they are responsible for what happens to it until it is ultimately destroyed (if it ever gets destroyed).  We advise any clients that contract with third parties to create and adopt a "Vendor/Third-Party Access Security Policy".  Vendors are required to comply with the policy and many times it is even mentioned in the contract itself.  The purpose of the policy is to ensure that vendors and other third-parties secure information at no less of a level than the original company.

The comments made by readers of the SC Magazine story really sum up my immediate thoughts.

Past Breaches:
Unknown



]]> Thu, 20 Dec 2007 11:23:09 +0000 information touche ikon confidential information information security controls deloitte third-parties secure information touche partners ikon office solutions Deloitte & Touche and IKON lose confidential information