State web sites that post breach reports often reveal breaches we didn’t learn about via media coverage. Here are five that I learned about in the past few days:
Republic Services reported that a laptop stolen from an employee’s home contained current and former employees’ names and Social Security numbers. The theft occurred in Maricopa County on August 10.
The InterContinental Mark Hopkins in San Francisco reported that burglars ransacked the hotel’s sales office and removed a hard drive containing personal data of guests. The hard drive was left in the sales office, but forensic examiners could not rule out the possibility that data were accessed. “If the criminals did this, they could have accessed the following types of information: name, mailing address, and credit/debit card number,” writes Nelum Gunewardane, General Manager of the hotel.
Argotec notified its employees that their names, bank account information and Social Security numbers might possibly have been accessed by a cyberattack on July 26.
Crystal & Company provides insurance and risk management services to clients. One might wonder if they managed their own risk appropriately, because not only was a laptop with unencrypted client information stolen from an employee’s car on June 14, but they did not even learn of the theft until June 20. The laptop contained a variety of data types, including name, Social Security number, date of birth, driver’s license information, medical record number, salary information, and zip code. Their letter does not state whether the employee was disciplined in any way for leaving a laptop with so much PII in an unattended vehicle or if the employee’s conduct was consistent with any policies. Crystal & Company did not reply to an e-mail inquiry sent to them yesterday requesting more details on this incident and any consequences to the employee. Update: this breach was also reported to New Hampshire on Sept. 11 with some additional details. Some of the individuals affected were associated with Linchris.
Do you remember ever seeing a breach notice concerning a Paragon Solution Network breach in January, 2012 that involved 1ink.com? Neither do I, but American Express recently notified some card members that “A merchant where you used your American Express Card detected unauthorized access to their website files. At this time, we believe the merchant’s affected data files included your American Express Card account number, your name and other Card information such as the expiration date.” PSN and 1ink are both at the same address in Burbank, California.