ING Screws DC Employees
ING is a financial services company that provides all kinds of things for employers and their employees- from insurance to retirement plans. ING upgraded their offerings this past week by offering free credit monitoring too because they don’t protect their customers’ data. Yep, a laptop was stolen, this time from an ING employee’s DC home. The data? Socials, names and addresses- basically everything you need to steal someone’s identity.
ING is a great suffix, too. How about ScrewING? ShriekING? FireING?
From the AP here:
Laptop With D.C. Workers’ Data Stolen
WASHINGTON (AP) — A laptop containing the Social Security numbers and other personal data of 13,000 District of Columbia employees and retirees has been stolen, officials said.
The computer was stolen Monday from the Washington home of an employee of ING U.S. Financial Services, said officials with the company, which administers the district’s retirement plan.
The company did not notify city employees of the theft until late Friday because it took officials several days to determine what information was stored on the laptop, ING spokeswoman Caroline Campbell said.
The laptop was not password-protected and the data was not encrypted, Campbell said.
“For us, this is very unfortunate,” she said. “But we’re moving forward, we’re very focused and committed to find any other laptops that don’t have encryption software and to fix that. This incident revealed a gap.”
Two other ING laptops containing information on 8,500 Florida hospital workers were stolen in December, but the employees were not notified until this week, said ING spokesman Chuck Eudy. Neither laptop was encrypted, he said.
Someone should be fired at ING over this, and I think Caroline Campbell would be a good first start for this egregious lie about being “focused and committed” to hardening their laptops. A Florida laptop was stolen in December. They should have realized THEN that they need to look at all of their laptops to make sure that they are encrypted, NOT when the second gets stolen six months later!
ING undergoes audits just like any other large financial company. As such, I am certain that they have multiple reports from KPMG, E&Y, or some other auditing firms telling them that there are industry standards for operating things like computers, and all of the ways that they are violating those standards. All computers at minimum should be password protected. These laptops did not even have the minimum security of a password.
Is it going to take a huge billion dollar lawsuit to get companies to protect personally identifiable information correctly?