Lawyers for CNet have filed a letter with the Maryland AG office. According to the letter, a third party vendor, Colt Express Outsourcing Services, was victim to a break‑in over Memorial Day weekend. Computer equipment got stolen, although it’s not detailed how many or what type of equipment. While the use of full disk encryption (FDE) services could have provided the clients—including CNet—with data protection, it looks like encryption solutions were not used (based on the fact that they’re not alluded to at all).
According to Colt, the lost information includes names, dates of birth, SSNs, addresses, hiring dates, and other sensitive data related to employee benefit packages. Colt was in charge of CNet’s employee benefit administration for the past eight years, and the lost information goes all the way back to—yep, you guessed it—the year 2000.
So, what’s Colt doing to rectify the situation? All it can do, but it hands are tied because they’re going out of business—a fact that clients were aware of. Short of cooperating with the law and alerting clients that there is a potential for a data breach, Colt has stated that they “do not have the resources, financial and otherwise, to assist you [CNet, and I assume other clients] further.”
Ouch. I mean, Colt is only being honest and open, but still. I don’t know about the other affected companies, but CNet has signed up their employees for identity theft monitoring out of its own pockets.
Potential data breaches hitting companies due to the actions of third party vendors is nothing new. We’ve already had a handful this year affecting both big and small companies. Late last year, The Gap had an incident as well. Most of these cases could have been pretty much eliminated via the use of hard drive encryption, the likes of which are provided by AlertBoot.
The reasoning is pretty simple. Most of the “potential breach” notifications were prompted by the theft of computers—usually laptops, although desktops were included as well. By using whole disk encryption, the thieves—if inclined to get data off the stolen goods—would have found that the traditional methods of accessing computer data would have been useless, even in those instances where they try to override “password protection.”
Or at least, that’s the message I’m taking from an entry at pogowasright.org . Ebara Technologies had