Estée Lauder employees notified that their data were on stolen laptop

Another day, another stolen laptop with employee data. This time it’s New York-headquartered Estée Lauder.

In a notification letter dated July 13 that omits important details, the firm’s lawyer writes that the company “recently learned” about the theft of a company-issued laptop that contained names and Social Security Numbers of current and former employees and contractors for the firm.

The letter to the New Hampshire Attorney General’s Office does not state:

1. When the theft occurred.
2. When they first learned of the theft.
3. Where the theft occurred.
4. How the theft occurred. Was the laptop stolen from a car, a home, or what?
5. Which police department the theft was reported to and how employees can obtain copies of the police report.
6. How many people, total, had data on the stolen laptop.

The letter indicated that following the theft, the company changed all passwords assigned to the employee. But there is no mention of encryption at all in either letter. Does the company require such data to be encrypted, and if so, why wasn’t it? And if they didn’t require encryption before, why aren’t they requiring it now? Where is the somewhat standard inclusion of what steps the company is taking to reduce or eliminate the likelihood of this type of breach happening again?

If you’re an employee of the company, there’s a phone number for you to call if you have questions. Maybe you can get more details and information about the incident, and if you do, please let me know.

About the author: Dissent