Update on White Rock Networks breach
Yesterday, I reported on a breach reported by WFAA in Texas, where boxes of intact personnel records, some containing Social Security Numbers and even medical information on employees, had been found next to a public dumpster in Plano.
As Brad Watson of WFAA reported, White Rock Networks had gone bankrupt in 2006 and its assets were “eventually purchased by another firm that later merged with a third company.”
By doing a bit of digging, I found that some White Rock Networks assets had been acquired by Turin Networks, who eventually merged with Force10 Networks.
I contacted Force10 Networks to inquire what they knew about these records in terms of who had custody of them or who was responsible for them. In response, I received this statement from a corporate spokesperson:
2005Turin Networks acquired some IP (intellectual property) assets and physical equipment from White Rock Networks in an asset sale held by the bankruptcy court. Prior to Turin’s acquisition of certain of the former White Rock Networks assets, White Rock employees had already been terminated by White Rock Networks when White Rock Networks declared bankruptcy. Turin never received or obtained or held any personnel files, records or papers of any former White Rock employees.
Turin did hire some former White Rock employees after some employees contacted Turin seeking employment. However, their personnel records from White Rock did not move to Turin and we were never informed about where such records may have been kept.
Out of concern for former White Rock employees who are now employed by Force10, we have been proactive, informing them that we never had their White Rock records in our possession and we have advised them on actions that they can take relative to potential identity theft as recommended by the FTC.
In conclusion, as an employer who places a high value on employees and their confidentiality, we were appalled to hear about the careless actions that took place in Plano.
In light of the above, it sounds like neither Turin Networks nor Force10 Networks have any role in the breach, and that the records were never in their custody. Perhaps one of the principals of White Rock stored the records and a storage unit was abandoned, or perhaps there is some other explanation, but it seems that former White Rock employees whose personnel records were exposed and left vulnerable this way may have no one to point the finger at unless law enforcement investigates and identifies the responsible party.[Date of Turin’s acquisition of some IP corrected]