Skip Links

Latest 'lost' laptop holds treasure-trove of unencrypted AT&T payroll data

By Paul McNamara on Thu, 06/05/08 - 10:42am.

It's just another in a long line of stolen laptops ... unless you work in management at AT&T and you're worried about your social security number falling into the hands of identity thieves. Or, you're worried that your coworkers might find out how much -- or how little -- you actually earn.

(Update: Maybe AT&T should have eaten its own dog food.)

While AT&T has declined to disclose the number of management employees put at risk by the May 15 theft from an employee's car, one manager who is among them tells me he knows of others located throughout every corner of AT&T's vast empire in the U.S. "I have found one individual who was not impacted," says the manager, who asked not to be named. "This is probably big, but not everyone."

"I'm very disappointed in my company," he adds. "Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."

I've asked AT&T for comment. At the end of this post is a long excerpt from a Q&A the company provided to employees, who learned of the breach via an e-mail, which reads in part:

"This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information, including employee names, Social Security numbers, and, in most cases, salary and bonus information. ... We deeply regret this incident. You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future."

Regrets were not enough to allay the anger of this manager.

"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information," he says.

Failure to encrypt and otherwise better protect such data is inexcusable at this point in time, agrees Kelly Todd, a staff member at attrition.org, a security site that maintains a database of data-breach incidents.

"Lack of encryption of personal data is generally troubling, especially when the data is being stored on any mobile device with a 'steal me' bulls-eye on it," says Todd. "According to part of the AT&T e-mail, 'It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.' Good for them, but larger companies can sometimes have tens of thousands of systems to identify, plan for, and then execute an encryption process. It seems to me that they should have been 'in the process' a year ago.

"Even more troubling is that AT&T mentions that the laptop was password protected in their letter," he adds. "It might make some people feel better, but just password protection alone is generally considered a security joke."

The AT&T manager whose data was exposed sees an even larger issue in play here.

"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."

Here's the meat of that Q&A from AT&T:

When and where did this happen?

The laptop was stolen on May 15 from an employee's vehicle, and the employee notified a supervisor upon discovering the theft. The case is under active police investigation; we're not providing any further details.

Why aren't you disclosing the location?

We believe that the theft was a random property crime and, in most of these cases, the hard-drive is wiped clean and the computer is re-sold for profit. We do not want to potentially notify the thief of the nature of the data on the hard-drive.

What kind of information was on the laptop?

The laptop contained a file listing names, Social Security numbers and salary and bonus payments for a number of AT&T management employees.

Has any of this personal information been compromised?

We have no reason to believe this information has been compromised. We are working closely with local law enforcement to investigate the crime and to attempt to recover the laptop.

How many employees are affected?

It is our policy not to provide that information.

Why did the employee have the information on his/her laptop?

The employee and business unit had access to the data as part of normal work functions. We're not providing any additional detail on the circumstances.

Was it encrypted? If not, why not?

It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.

How could this have happened?

This was a criminal act by an unknown person. AT&T is taking proactive measures to remind employees of the need to protect company property to avoid such incidents in the future.

What are the proactive measures?

Managers throughout the company will be responsible for ensuring compliance with existing standards for use of mobile computing devices by both employees and vendors. These standards include encrypting sensitive data and physically securing devices containing such data.

Why weren't those standards followed in this case?

The measures and precautions we put in place to protect the security of company-owned property and our employees' personal information were not followed. We will continue to remind our employees in the strongest terms what the policies and expectations are, and we will enforce those policies across-the-board, without exception.

We'll leave the last word to the manager whose personal info was put at risk:

"Water-cooler buzz is really just beginning," he says of the reaction within the company. "Lots of anger - both that the information was compromised and that the person responsible was just disciplined. We absorb the entire risk of identity theft and the individual gets off with 'discipline.'

"I expect, after the outrage of SSN and payroll dies down, there will still be anger that 'personal responsibility' means nothing. If this doesn't get you fired - what does?"

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

Amazon's down ... really down.

Can early tornado warnings create Darwin Award winners?

The REAL sticking point between Microsoft and Yahoo!

Google News, McCain and The Mystery Blonde.

Worst of the lot for two years running: PCMall and PCConnection.

Times breaks out xkcd-to-English translator.

This Year's 25 Geekiest 25th Anniversaries.

Top 10 Buzzblog posts for '07: Verizon's there, of course, along with Gates, Wikipedia and the guy who lost a girlfriend to Blackberry's blackout.

8 can't-miss tech predictions ... for 1998