Laptop with HP employee data stolen

A laptop with information on almost 200,000 current and former Hewlett-Packard employees was stolen last week, putting them at risk of identity fraud.

The stolen computer belongs to Fidelity Investments, which provides services to HP, a representative for the Palo Alto, Calif., technology giant said Wednesday. The laptop was being used by several Fidelity employees in an off-site location, said Anne Crowley, a spokeswoman for Fidelity, which is based in Boston.

The portable PC contains information on 196,000 current and former HP employees, Crowley said. The data includes names, addresses, Social Security numbers, dates of birth and other employment-related information, but not the personal identification numbers required to log on to Fidelity services, she said.

The HP incident is the latest in a string of data security breaches. In the last 13 months, more than 53 million personal records have been exposed in dozens of incidents, according to information compiled by the Privacy Rights Clearinghouse. Last month, McAfee reported that an external auditor lost a CD with information on thousands of current and former employees.

Fidelity has reported the theft to law enforcement agencies and the matter is under investigation, Crowley said. "They told us that there have been several laptop thefts...and that their experience has been that these appear to be largely property-focused, rather than people seeking data or identity information," she said.

There is no evidence that the information has been misused, Crowley said. Furthermore, the information requires a special application, which expired a day or so after the laptop was stolen, she said. "The data would be difficult to interpret and generally difficult to read or use."

Identity theft continues to plague consumers, topping the list of fraud complaints reported to the Federal Trade Commission last year. Consumers filed more than 255,000 identity theft reports to the FTC in 2005, accounting for more than a third of all complaints, the agency said in January.

HP and Fidelity started notifying affected individuals this week, both companies said. Fidelity has stepped up security on HP accounts and offers those affected a no-cost credit-monitoring service for a year.

Fidelity claims to be the largest mutual fund company in the United States and one of the world's largest providers of financial services to about 21 million individuals, according to its Web site.

[Jesus#2]

didn't he...

have FileVault enabled... have the data in an encrypted .dmg
file? ...oh.. that's right.. he was using Windows..

[drifted]

This is not about windows

I know windows has rubbish security, we all do, this is not about that. This is all about the plain foolish security policies of American Companies. You never hear of this sort of thing happening in Europe, there would be investigations by the police and governments if this sort of nonsense were to happen. Its time that there are laws preventing this kind of stupidness from happening again...

Who puts all 200,000 details of customers on 1 laptop without any form of security?? Who lets that kind of information get onto the laptop in the first place? Of course this thing will keep on happening until the US goverment makes a law prohibiting corporate america from taking shortcuts with their customer databases, although somehow i dont see this happening as the US Gov. hates regulation of any sort for big business...

[indrakanti]

I never use FileVault, but...

if I just close my Mac laptop without loging out, will the next person who opens it have access to the data? I ask this because I love the instant sleep/wake up feature and never..never logout on my iBook.

[awkuhn]

Time to sue!

It is ironic that these kind of incidences keep going unpunished! It's time to start multi- billion law suits.

These inciudences do not happen because od lack of technology, they happen because of gross negligence!

[mrvista]

Why was anyone walking around with identities of 196,000 people?

Sounds like gross negligence to me... not to mention sheer stupidity.

[rpbell]

One laptop...

Multiple users...
196,000 client records...
Off-site location...

What is wrong with this picture? This might well be the single most egregious violation of even the most basic security procedures that I have ever heard of!

It is more than negligence, it is even worse than gross negligence. It is fundamentally a criminal violation of (what I would bet money on) HP's contract with Fidelity (what a funny, funny name for such a faithless and unworthy company). If ~anyone~ in Fidelity management had even an inkling of the weight of the information that is potentially accessible--just think of the value of that notebook to well-heeled, organized criminal perpetrators of identity-theft--I say, if Fidelity had even the slightest idea of the magnitude of the information contained in one discreet resource, that person is personally and criminally liable, as is the corporation.

I can't believe that HP will even think about not pursuing this in the civil courts, and perhaps even, in seeking criminal prosecution.

Amazing...absolutely amazing!

rb

[mdeck]

criminal stupidity

Oh, everything will be all right -- Fidelity told me so. And they've given me a whole year (free!!) of monitoring on my credit report. I'm just certain any nasty people who might come into contact with my SSN won't use it after that year is up. Oh, and the data was encrypted, and there was a licensing program -- these are computers, I'm quite sure nobody will be able to decipher the info (because Fidelity told me so). And what harm could anyone possibly do with my SSN that wouldn't show up on my credit report?!?! Besides, as the Fidelity rep told me on the phone yesterday, SSN's are "a matter of public record," so anyone who wants mine has free and easy access to it anyway.

I just don't see why everyone's making such a big deal out of this....

-- searching for a new identity before my own is completely trashed

p.s. What kind of #*$&ing meeting could POSSIBLY require even ONE SSN, much less 200K??!?!?

[jerryho]

cannot believe it

How can such things happen. Although the information is so called expired, but its not difficult to retrieve it.

The information is more valuable been the laptop and the data could be in the wrong hands.

This is crazy and someone has to take the hit.

[reverend_john]

Stolen or Sold?

Its too easy to sit on a beach in Mexico saying Gee that laptop was stolen last week
I think they should be investigating his bank records for any large deposits lately.
Did you notice The data includes names, addresses, Social Security numbers, dates of birth and other employment-related information on HP employees? But Fidelity Investments made sure it didnt have personal identification numbers required to log on to Fidelity services stored on that laptop. Hum, all that data that can harm 196,000 current and former HP employees, and Hewlett-Packard, but nothing to harm Fidelity. That in its self makes me wonder. People should have the legal right to not have their personal data carried around on anyones portable laptop. How about this for Justice, If the information was sold he shall be guilty of a misdemeanor and fined not more than $5,000 according to The Privacy Act Of 1974.
But publish just one visual depictions of actual sexually explicit conduct on the internet or in a magazine without maintaining individually identifiable records pertaining to that performer portrayed in such a visual depiction is a felony and shall be imprisoned for not more than 5 years, and fined in accordance with the provisions of U.S.C., Title 18, Section 2257. I think our government wastes too much time and money worrying about porn on the internet and not near enough time and money when it concerns peoples rights to privacy. I say its time for The Privacy Act Of 2006. (1) Personal data shall not be uploaded to any portable device. (2) Personal data shall not be uploaded to any computer that has internet access. Its time for the government to step up and insure our personal data remains personal.

[rpbell]

The sentiment of the Rev's comment...

...is, of course, appropriate, but the methodology is quite unnecessary. Our system of jurisprudence is quite capable of handling the egregious nature of this infraction, without "the government" putting its huge footprint even further upon our lives.

I like Jefferson's view: It governs best that governs least.

rb

PS But it would be nice to see 196,000 people satisfied with a fine for each violation and treble-of-the-fine damages to the individuals...*8^) Woo hoo!

[donnie0526]

for sale

Nice laptop for sale with new hard drive encryption algorithm. Used but in good condition. Make offer.

[*joef*]

Fidelity Trying to "appease"

It's downright assinine that Fidelity has offered the people whose information was stolen, a "bone". Fidelity has offered the person's a "membership" in
Equifax Credit Watch, and suggested those people also monitor their credit reports for a period of 12 - 24+ months. So, Fidelity screws up and suggests the people who may be at risk, assume responsibility for any problems.

[rpbell]

Yo, M Deck...

Actually, I was surprised to discover that your comments were not thoroughly interlaced with appropriately placed "#*$&" -- about every other word. You're a most controlled person!

I still think it is criminal; and the SSN is not only NOT a matter of public record (though it is far too ubiguitous on applications, forms and databases, to be sure), it is constitutionally protected to NOT be a matter of public record.

That Fidelity representative needs a rectum-ectomy, from the inside out!

rb

PS Anybody got a latex glove that I can borrow?

[Yukimi Konomi]

AGAIN???

this happened to me when a hr rep had their work at home pc running kazaa or some other p2p app.

i got an email from some total stranger letting me know that it was out on the web. name, social, dob, salary, everything...

i told hr about it and what did they do? they gave the hr rep another pc just for working at home.

[209979377489953107664053243186]

need to extend security poilicies to laptops

The biggest problem is that most enterprise security is managed through centralized servers for their work computers, and laptops exist outside of that kind of protection sphere most of the time. Companies need to start implementing non-server dependant protection policies for those who use work laptops, and enforcing these policies as well.

<a class="jive-link-external" href="http://www.essentialsecurity.com/Documents/article2.htm" target="_newWindow">http://www.essentialsecurity.com/Documents/article2.htm</a>

[rivsys]

I'm so relieved!

Thank heaven their Fidelity Investments access credentials were not compromised...

I'm sure the exposed employees are so relieved, too.

Sheesh.

[James P. Larsen]

Lots of rants here, but no useful ideas . . .

. . . other than switching to a Mac. Nan Schwarz made a good
effort--he posted a link to an article that was smooth but, in the
end, said nothing:

"Taking the time to gather information on creating good internet
security practices will lead to a decrease in the future cost of lost
productivity, and by educating your workforce you create an
even wider prevention of productivity loss.

Yes, that's what everyone here is saying (if not as elegantly) but
even the product on that site--email encryption--would not
have saved the HP data. One can only wonder what sort of
education the author (a marketing expert) has in mind.

My earlier posting did draw a comment from rpbell who
suggested FileVault could be broken at the media level, but that
is not true. (If it were, then the name would be VileFault!) The
only risk with FileVault is in human error in using it, and that is a
minor risk due to its ease of use.

So, the question is still out there, dear correspondents--do
Windows users who want to protect their data have any other
choice than to switch to Mac and use FileVault?

James

[GTOfan]

you asked...

James:

The useful solution is really simple: This portable, laptop computer should have never had the data loaded on it in the first place. There is absolutely no reason the Fidelity employees need to have 200,000 personal records on a computer that can walk out of a secured office building.

What in the world does a travelling Fidelity employee need with a person's SS number? Fidelity should assign each customer an account number, and every transaction should use their own internal number. If the data gets stolen, then Fidelity can just void all their own internal account numbers. But to carry someone's one-and-only SS number around on a laptop - INEXCUSABLE!

Slowly, companies are learning that they must protect (or not even collect) SS numbers. Holiday Inn initially used SS numbers as your "frequest customer" number, but they later re-assigned random numbers. The carelessness of the past has to stop through policy and procecural changes within corporations that collect and use personal financial data.

It's time for a wake-up call. It's time that someone go to jail, and that some major corporation be brought to the brink of bankruptcy for not protecting their customer's data.

[richard8135]

I don't understand why so much information was on a laptop off site

As an HP employee, this is unbelievable. I just happened to stumble across this. I enrolled in the Fidelity investment program and I am very worried when I think about how much personal information including SSN that I input into the Fidelity system. If I become a victim of identity theft along with other employees, I have no doubt that I will seek legal action against Fidelity. I would like to forward this to everyone within my group and others at HP, but I am concerned that this would create employment problems (if you know what I mean.) I guess we will see how this turns out, god only knows.