It's just another in a long line of stolen laptops ... unless you work in management at AT&T and you're worried about your social security number falling into the hands of identity thieves. Or, you're worried that your coworkers might find out how much -- or how little -- you actually earn.
(Update: Maybe AT&T should have eaten its own dog food.)
While AT&T has declined to disclose the number of management employees put at risk by the May 15 theft from an employee's car, one manager who is among them tells me he knows of others located throughout every corner of AT&T's vast empire in the U.S. "I have found one individual who was not impacted," says the manager, who asked not to be named. "This is probably big, but not everyone."
"I'm very disappointed in my company," he adds. "Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."
I've asked AT&T for comment. At the end of this post is a long excerpt from a Q&A the company provided to employees, who learned of the breach via an e-mail, which reads in part:
"This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information, including employee names, Social Security numbers, and, in most cases, salary and bonus information. ... We deeply regret this incident. You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future."
Regrets were not enough to allay the anger of this manager.
"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information," he says.
Failure to encrypt and otherwise better protect such data is inexcusable at this point in time, agrees Kelly Todd, a staff member at attrition.org, a security site that maintains a database of data-breach incidents.
"Lack of encryption of personal data is generally troubling, especially when the data is being stored on any mobile device with a 'steal me' bulls-eye on it," says Todd. "According to part of the AT&T e-mail, 'It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.' Good for them, but larger companies can sometimes have tens of thousands of systems to identify, plan for, and then execute an encryption process. It seems to me that they should have been 'in the process' a year ago.
"Even more troubling is that AT&T mentions that the laptop was password protected in their letter," he adds. "It might make some people feel better, but just password protection alone is generally considered a security joke."
The AT&T manager whose data was exposed sees an even larger issue in play here.
"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."
Here's the meat of that Q&A from AT&T:
When and where did this happen?
The laptop was stolen on May 15 from an employee's vehicle, and the employee notified a supervisor upon discovering the theft. The case is under active police investigation; we're not providing any further details.
Why aren't you disclosing the location?
We believe that the theft was a random property crime and, in most of these cases, the hard-drive is wiped clean and the computer is re-sold for profit. We do not want to potentially notify the thief of the nature of the data on the hard-drive.
What kind of information was on the laptop?
The laptop contained a file listing names, Social Security numbers and salary and bonus payments for a number of AT&T management employees.
Has any of this personal information been compromised?
We have no reason to believe this information has been compromised. We are working closely with local law enforcement to investigate the crime and to attempt to recover the laptop.
How many employees are affected?
It is our policy not to provide that information.
Why did the employee have the information on his/her laptop?
The employee and business unit had access to the data as part of normal work functions. We're not providing any additional detail on the circumstances.
Was it encrypted? If not, why not?
It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.
How could this have happened?
This was a criminal act by an unknown person. AT&T is taking proactive measures to remind employees of the need to protect company property to avoid such incidents in the future.
What are the proactive measures?
Managers throughout the company will be responsible for ensuring compliance with existing standards for use of mobile computing devices by both employees and vendors. These standards include encrypting sensitive data and physically securing devices containing such data.
Why weren't those standards followed in this case?
The measures and precautions we put in place to protect the security of company-owned property and our employees' personal information were not followed. We will continue to remind our employees in the strongest terms what the policies and expectations are, and we will enforce those policies across-the-board, without exception.
We'll leave the last word to the manager whose personal info was put at risk:
"Water-cooler buzz is really just beginning," he says of the reaction within the company. "Lots of anger - both that the information was compromised and that the person responsible was just disciplined. We absorb the entire risk of identity theft and the individual gets off with 'discipline.'
"I expect, after the outrage of SSN and payroll dies down, there will still be anger that 'personal responsibility' means nothing. If this doesn't get you fired - what does?" <!--stopindex-->
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Amazon's down ... really down.
Can early tornado warnings create Darwin Award winners?
The REAL sticking point between Microsoft and Yahoo!
Google News, McCain and The Mystery Blonde.
Worst of the lot for two years running: PCMall and PCConnection.
Times breaks out xkcd-to-English translator.
This Year's 25 Geekiest 25th Anniversaries.
Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.
The Leader in Network Knowledge
Thanks Network World and another stupid ATT Manager
As one of those people who had his data stolen in this incident, I just want to say "Thank you" to NetworkWorld for letting the thief know what he has, and to that ATT manager who is so outraged he spoke to you about it and offered proprietary internal documents to Network World, "thanks also."
Very nice responsible journalism and ethics from one who complains about the company's ethics here.
You, sir, should be fired with the perpetrator of this event.
[snort]
> I just want to say "Thank you" to NetworkWorld for
> letting the thief know what he has, and to that ATT
> manager who is so outraged he spoke to you about it
> and offered proprietary internal documents to
> Network World, "thanks also."
You sir, are three levels of idiot.
First, anyone who would care *in the slightest* about the data (ie, anyone who possesses the capability to leverage a list like this into an actual fraud) would have checked the drive in the first place. They wouldn't be looking for a website to tell them what they had just stolen.
Second, if what is reported here is correct, AT&T's data privacy procedures are horrid. If AT&T can't manage their own proprietary data, this is symptomatic of some major problems. Vetting this in the public eye is actually probably good for the company -> it's embarrassing enough to actually push for change, before you lose something that you're legally required to disclose to the public, like your *customer's* data.
Third, you cannot claim that this memo is proprietary information, even if AT&T labeled it as such. This is an alert required by several different state's laws to be distributed to people affected by a data breach. AT&T cannot claim ownership over these alerts. Anyone receiving one is perfectly within their rights to redistribute this information to whomever they please.
Can't keep it secret
Agreed. Anyone who gets the notice can do with it what they want. This was bound to come out. His anger at NetworkWorld is misplaced anyway. The employee's statement and some of the documents were first posted on another site yesterday morning.
If Birdjay is going to be angry, he should be angry at AT&T for not monitoring and enforcing their security protocols better. Failing to encrypt is bad enough, but leaving a laptop with PII in your car?
Should've had easy encyption in place
This is total AT&Ts fault for not having encryption in place. Everyone forgets their laptop now and then, but there are USB security tokens like this one out there that automatically lock the data with 256 AES when you pull them out. Tether the key to employee lanyards and less of this kind of thing would happen.
Once the the data is out its out and trying to hide it won't help anything except PR. Those thieves already know what they have.
I agree with you. I was
I agree with you. I was shocked when my friend told me about this article. I thought only employees were to know of this incident. This leak of information is practically no better than leaving unencrypted data on a laptop.
Thanks Birdjay...
... for providing a knee-jerk reaction to news that was publicly known before this blog post was published:
http://www.scmagazineus.com/ATT-management-staff-data-on-stolen-laptop/article/110884/
If you took the time to quit breathing through your mouth and would look at the date/timestamps, you would CLEARLY see that SC Magazine's Dan Kaplan wrote about this exact breach hours before NetworkWorld did.
You, sir, are nothing more than a troll. Please tell your managers in AT&T's P.R. department hello for me.
Still
Even though this was already publicly available knowledge, I still think it's more appropriate to have a spokesperson as a source in this matter (as in the case of SC Magazine) and not just some employee posting memos. I believe its up to the company to disclose this.
Even still...
If it was up to "the company to disclose this", you would have little to no public information available. Believe it or not, there are actually *laws* that are on the books in at least 42 states regarding the disclosure of breaches concerning personal information. To say that "it's up to the company" is not only misinformed, but patently, hands-down false. Any company that believes that it is above the law in this matter in quite simply negligent.
Yes I know there are laws
And what I meant is that its up to the company to follow the law and provide the required information to the appropriate authorities. No the company is not above the law and it is their duty to comply. But I still think its unprofessional to use just any employee as a source.
Sorry to say but..
You are so much way off that it's not even funny. If you would like to went a little, try some simple, athletic exercise.
Now, it is weird that even today this kind of things happen, all the time? Something to do with attitudes / corporate politics? Because after designing secure systems 30+ years I can tell, it is not expensive, no process alone (as AT&T says they will implement?) will ever take care of security, blaming someone else like department, organization, etc manager - give me a break, etc. Security is a corporate business function!
Just as a first line security, encryption has been available a long time, is today even easier than ever, secure enough in most cases, and so on. Combined with role identity with certain access rights to information it will protect from physical security problems, social "hacking" and misplaced trust problems are another issues, worth of another article but corporations are hiding those very well except maybe when a bank loses a couple of billion $, see stories.