Sunday, September 30, 2007

Mysterious Gap vendor loses laptops with 800,000 people's information on it


(Banana Republic photo courtesy of Paul Rene at Flickr)

Gotta love the latest data breach at the Gap. First of all, it involves laptops stolen -- then it is disclosed that the information, which includes everything needed to complete a full identity assumption -- wasn't even encrypted.

Stolen laptops compromising a lot of people's information isn't a new twist in the world of data breaches. Given this, it's amazing that this rather personal information wasn't even encrypted.

This doesn't even take into consideration -- that although they knew about it since September 19th, they waited ten days to announce it -- and then do so on a Friday. TJX made their announcement of their intent to settle the class action law suits resulting from their data breach last Friday.

Strange how these disclosures always seem to happen right before the weekend?

Moving on, the GAP and their vendor (Taleo Corp) -- who runs the job site, where all this information was data mined -- are pointing their fingers at a mysterious third-party vendor, who neither of them will name.

They are offering the now standard free credit monitoring, and their official statement is THAT it's against the Gap's policy to store information on unencrypted laptops. AND OF COURSE, they also have no reason to believe this information is being used.

As I've written many times before, the irresponsible passing (frequently for profit) of people's personal and financial information is what makes it TOO EASY for criminals to steal it.

When the information is passed to several different places, it gives all the people passing it, plausible deniability that they were NOT the point of compromise when a person becomes an identity theft victim.

Last I heard, the criminals stealing the information don't want to let anyone know where they are getting it, either!

Recently Monster.com was compromised for a lot of applicant information, also. Here is the post, I did on that:

Monster.com might be sending you a letter that your information was compromised

Job applicant information seems to be a hot commodity for thieves lately.

If you have applied for employment at Old Navy, Banana Republic, or the GAP you can call 1-866-237-4007 to see if you might have a problem. The GAP has set up a website to assist those, who might have been affected by this latest data breach.

Now that I'm finished ranting, it would be unfair to blame the GAP for all the data breaches that hit the news too frequently. Data breaches are expensive for the company that was breached, bad publicity and they put a lot of people at risk.

As I write this, I can almost bet there is another company being targeted for information. The million dollar questions is -- what are they doing to make sure they aren't the subject of next week's data breach?

Hopefully, I won't find out who I am talking about next Friday night!

AP story about this (courtesy of the LA Times), here.

More updated version of the story by Robert McMillan (PC World) courtesy of the Washington Post, here.

The Privacy Rights Clearinghouse documents data breaches, if you take a look at their chronology, you will see that information being compromised by someone stealing a laptop is nothing new.

4 comments:

Anonymous said...

Bill Brenner at Search Security added something that is even a bigger concern. Apparently the GAP stores their customer's SSN's in their register system.

In light of the TJX breach, this is pretty scary.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1274757,00.html

HeJustLaughs said...

I was one of the 800,000 people affected by this incident.

I uploaded an image of the letter here

Anonymous said...

The laptop was stolen in June.

Ed Dickson said...

How could I get more information on the laptop being stolen in June?