Databreaches.net, which I'm beginning to refer to as "the son of pogowasright.org" until I get used to referring to it directly, is reporting that The Pepsi Bottling Group has lost a data storage device that clearly did not use data encryption software like AlertBoot. I know this because The Pepsi Bottling Group (PBG), which is not to be confused with Pepsi, the company, has admitted as much in a letter to the Attorney General of New Hampshire.
"The Pepsi Bottling Group (PBG) reported that it could not account for a portable data storage device, which contained unencrypted personal information, including the names and social security numbers of PBG employees in the US."[my emphasis]
In addition, employee ID numbers and state of residence were included as well. It's noted in the same letter that bank account and direct deposit instruction information was not to be found on the missing portable device.
(Incidentally, what is this missing data storage device? An external hard disk? A CD or DVD? A flash drive? A backup tape? By making it nebulous, the company may be trying to deflect criticism: generally, a missing backup tape incites less of a response than a missing USB memory stick. On the other hand, seeing how PBG wasn't trying to call their unprotected data anything but, so I have to give them the benefit of doubt.)
One may wonder what all this information was doing in something that could easily get lost. Well, for starters, the payroll department lost the device, so at least there are grounds for the data being there in the first place (unlike other cases where an outside contractor needs test data for a new program he's developing).
On the other hand, PBG clearly shows that they may have been slightly lacking when it comes to data security, not including the use of data encryption software:
"Since this incident, we have implemented several additional steps within our payroll department to protect…specifically, our payroll department has instructed its employees that they are prohibited from downloading social security numbers onto portable devices..."
This is a great step PBG is taking, in addition to replacing the last four digits of SSNs from payroll and benefit systems (with the exception of core databases, of course. The IRS needs payroll to supply those IDs along with the money.)
Playing devil's advocate, though, leads me to the conclusion that they'll want to do more than data redaction. I mean, policies only work when people decide to follow it. What happens when they do not? PBG may be better of investing in disk encryption solutions that also block USB ports from being used. In fact, there are solutions out there that will encrypt any data storage device that plugs into a computer, and make the data accessible on that computer only.
And seeing how this entire data breach fiasco started from a payroll employee downloading data from a company computer, for work-related purposes, the above solution may have prevented a data breach from happening.
Related Articles:http://www.databreaches.net/?p=131http://doj.nh.gov/consumer/pdf/pepsi.pdf