SterlingBackcheck, a New York based background check company that provides services to the Salvation Army, has suffered a data breach.
An employee laptop, password protected but unencrypted, was stolen out of a car on May 29th of this year. The laptop contained the personal information, including names, social security numbers and dates of birth, of over 100,000 people, including 6,400 people in Georgia and 86 Salvation Army applicants.
“It’s a very unfortunate incident,” said Major Todd Hawks with the Salvation Army told CBS46 News. “Whether it’s one or 500,000, a breach is a breach. It was one computer. It wasn’t a server, it was just a computer and whatever was on that laptop. So it seemed like it was contained.”
SterlingBackcheck says that they “are unaware of any actual or attempted misuse of this information, and there is no indication the data that may have been stored on the laptop was the target of the theft.”
The amount of FAIL in this situation is off the charts. Starting from the bottom:
1. The Employee: Leaving a laptop in a car? Really?! Not only that, but leaving a laptop that contains sensitive information about other people in a car. Is this stupidity, ignorance, or just horrible lack of respect for anyone other than themselves?
2. The Company, Mistake #1: An unencrypted laptop with sensitive information stored on it? FAIL. It should be built to compliance standards, encrypted, 100% updated with patches, and employees should be trained on how to handle it appropriately. 100,00 people affected from one computer. It’s ridiculous.
3. The Company, Mistake #2: A laptop with sensitive information on it being allowed to leave company ground? FAIL. If any computer is going to hold sensitive information, it should be a desktop, end of story.
Clearly, this company has major security issues. They claim in their statement that they “take data privacy and security very seriously. We have gone to great lengths to create a compliant and secure data environment and we have instituted a comprehensive series of procedural and technological reforms to mitigate against the risk that a similar incident happens again.” This data breach certainly does not speak to their taking data and security seriously. Not only do they need to increase the amount of security, but they need to up their employee security education game. The employee involved in this situation should have their access pulled immediately until they can prove that they understand the gravity of being responsible for personal information.
Hotline for potential victims to call is 855-227-9823.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.