July 3, 2008 9:52 AM PDT

Stolen: Google employees' personal data

Stolen: Google employees' personal data
Related Stories

Stolen Boeing laptop held ID data on 382,000

December 14, 2006

Laptop theft exposes Hotels.com data

June 2, 2006

Laptop with HP employee data stolen

March 22, 2006
Related Blogs

Stolen Home Depot laptop exposes employee data


October 18, 2007

IBM loses tapes with employee data


May 15, 2007
Google has confirmed that personal data of U.S. employees hired prior to 2006 have been stolen in a recent burglary.

Records kept at Colt Express Outsourcing Services, an external company Google and other companies use to handle human resources functions, were stolen in a burglary on May 26. An undisclosed number of employees' details and those of dependents such as names, addresses, and Social Security numbers were on the stolen computers. It is understood that Colt did not employ encryption to protect the information.

It's still unclear how many more of Colt Express' clients were affected by the breach. CBS' CNET Networks, publisher of News.com, was also affected by the burglary, with about 6,500 employees' details stolen.

Although there is no evidence of misuse of the data to date, the information obtained could be used by identity thieves to create fake accounts and identities.

It's only come to light now that Google was one of the companies affected. Google itself was not burglarized, nor were any of its internal systems compromised.

Danny Thorpe, former chief scientist at Borland and engineer at Google who now works for Microsoft, was informed of the theft on July 1.

A letter from Google said personal data of Google employees hired prior to December 31, 2005, may have been stolen in the May 26 burglary of Colt Express Outsourcing Services. No credit card numbers were in the stolen data; just names, addresses, SSNs--all the information needed for a thief to open a credit card account under another's name.

According to Thorpe, Google has offered to cover the cost of a one-year subscription to a credit report and identity theft-monitoring service. Similar benefits were offered to CNET Networks employees.

ITWorld reported last week that Colt Express Outsourcing Services was in financial difficulty and could not help those affected. The company's CEO, Samuel Colt III, said in a statement "We do not have the resources, financial and otherwise, to assist you further."

"We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an ongoing basis," a Google representative said. "Google is not currently using Colt's services and had made this decision long before this incident."

Brendon Chase of ZDNet Australia reported from Sydney.

See more CNET content tagged:
Google Inc., Human Resources, social security number, Social Security, credit card

10 comments

Join the conversation!
Add your comment
We can use that new Law in Texas:
* Lawsuit says every repair technician in Texas must have private investigator's license
* Licenses are obtained with criminal justice degree or 3 year apprenticeship
* Violators can face up to a 4K fine and 1 year in jail
Posted by inachu (963 comments )
Reply Link Flag
I've identified at least 6 clients affected by the Colt Express burglary on <a href="http://www.pogowasright.org/search.php?type=all&query=Colt+Express&mode=search&Submit=Search">PogoWasRight.org</a>: CNet, Google, Ebara Technologies, former Avant! employees, Punahou School District, and bebe stores, and there are probably more that we'll find in time.. Some of the clients, like Google, were no longer doing business with Colt but their unencrypted employee and dependent info was still on computers in the office that Colt reports were "password-protected."
Posted by ChecksAndBalances (2 comments )
Reply Link Flag
No encryption? Again, people ask "WHY?" It truly isn't that hard or expensive to implement, and it saves a lot of trouble and money.
Posted by hawkeyeaz1 (569 comments )
Reply Link Flag
"Google is not currently using Colt's services and had made this decision long before this incident." This begs the question: If Google hasn't been using Colt Express Outsourcing Services for a while now, then why was Colt still hanging on to Google's employee data? Shouldn't Colt have turned it over to Google and deleted their copy? They had no business retaining this data from a former client. At the very least, Colt should have exported the data, encrypted it, stored it off site (in a secure facility), and purged it from the active database.
Posted by Get_Bent (534 comments )
Reply Link Flag
Encryption is simply not going to work. The problem is too many people have access to your information to begin with, and all it takes is one person to forget to use it. That is why it will never work. We're never going to be able to protect everyone's identity like that. We need new laws and technology to make it impossible to use someone's identity even if they have your information. Are you telling me there's only one level of security? Nobody bothers to check or validate after that? Simply knowing my information should not be enough to use it. There needs to be more layers of security after that. You shouldn't be able to use my identity or open any accounts with my financial information unless my own bank down the street, where everyone KNOWS ME, APPROVES IT by me going in with my ID saying yes I approve it. They could charge me an approval fee. They could charge small fees to approve new credit cards, loans, or accounts in my name even if the account itself is at another bank. It would even be profitable to do it this way. What is the problem? Even if someone did take a fake ID into my bank, at least it is probably a local criminal that is more likely to get caught than if they can use my name from the other side of the globe. Just have a database where you can link my SN with the ONE bank you need to get approval from to use my identity. Then they can say hey, yeah I'll give you a credit card or whatever, but you have to head down to your bank to activate it. Then we'll call them and make sure we got that approval. If they don't get that approval. Too bad. It shouldn't count against me. They take the loss. If someone does become a victim of identity theft anyway, they should be given a new legal identity and SN straight away. Even if their information has simply been stolen and not used yet. Let the companies that aren't checking credentials correctly take the fall.
Posted by Imalittleteapot (835 comments )
Reply Link Flag
When a company like Google can't keep their data secure, then it's a true problem.. I agree with the last post about how too many people have access to data to start with too..

http:://blabtech.blogspot.com
Posted by blabtech (75 comments )
Reply Link Flag
this careless storage of people id needs to stop this is not going to happen until lawsuites and big payment settlements start to happening. corporation do not practice guardin and preventing lost they go until they have to pay and pay big time then they start lost prevention this is a bigger problem now that corporation have farm out to call centers all over the world india, central america, sudiaribia, all these call centers have your private info when you call for help, information how do these corporation protect your data in a foreign country when everything has a price and is sold easily?????

yes i agree with lamlittleteapot we give out our private info to readily to companies we need to start being more active in guarding our info
Posted by jjcompliant (12 comments )
Reply Link Flag
Any company dealing with sensitive information must use encryption, period. I recently lost my USB flash drive with all of my passwords in an encrypted file with a 63 character password and I feel perfectly safe.
Posted by cporpheus (81 comments )
Reply Link Flag
Original post: <a class="jive-link-external" href="http://dannythorpe.com/2008/07/01/google-employee-records-stolen-in-colt-break-in/" target="_newWindow">http://dannythorpe.com/2008/07/01/google-employee-records-stolen-in-colt-break-in/</a>
Posted by dannythorpe (2 comments )
Reply Link Flag
Do SSN's expire after 1 year? It should be a mandatory minimum 10 year credit watch. It should also be a Federal crime to maintain sensitive information and not have it encrypted. That would spur companies to make their data more secure from theft.
Posted by mojojam (27 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.