GE Screws 50,000 Employees
GE had a laptop swiped from a hotel room that contained the names and socials of 50k current and former employees. The article does not say that the data on the drive was encrypted, so Im assuming it was not.
From Reuters here:
September 26, 2006 (Reuters) — General Electric Co. said today that a company laptop containing the names and Social Security numbers of 50,000 current and former employees was stolen in early September.
The laptop, which had been issued to a GE official who was authorized to have the data, was stolen from a locked hotel room, GE said.
The Fairfield, Conn.-based company began mailing letters this week to the people whose names and Social Security numbers were on the laptop to notify them of the breach and offer a year’s free access to a credit-monitoring service, GE spokesman Russell Wilkerson said.
Wilkerson declined to give further details such as where and when the theft took place or whether the company official is still with GE.
Anytime that this personal data is placed on a hard drive that exits the sphere of physical control of the corporate security office, it should be encrypted. GE knows this, and they are one of the leaders in IT security. They have the entire 3.x.x.x class A address space and they have an amazing IA team. How this one got away is puzzling. It can only be negligence or an external contractor that does not take proper precautions.
Every company claims that they take all possible measures to secure their customers’ and employee data, but there have been far too many security breaches lately for this to be true.
The fact that this information was left unencrypted ON A PORTABLE MACHINE is completely unacceptable. Not only does GE need to refine their risk policies (if they even have any at this time), and work on employee education… And of course security software such as Remote Laptop Security needs to be installed ASAP.
As a consumer, I’ll know to be aware of the way GE handles data in the future.
MLess,
Welcome to the blog and thanks for the comment.
For a bunch of guys that are world class leaders in Information Assurance, this is a major screw up. You know I think these guys build missiles too.
While SSNs are not as critical as plans for a guided missile system, at least some bare-bones security should be expected, eh?