Visit www.barracudasecurity.com

Visit www.barracudasecurity.com

Legend

Location Of Theft in AQUA BLUE
URL Of Linked Article In STEEL BLUE or GREEN
Full Content Of Article In BLACK
Theft Description In Body Of Article in RED

Monday, August 31, 2009

NEW HAMPSHIRE COMPUTER STOLEN Normandeau Associates reports theft and recovery of stolen laptop | Office of Inadequate Security:

Normandeau Associates reports theft and recovery of stolen laptop

August 28, 2009 by admin
Filed under Breach Incidents, Breach Types, Business Sector, Theft, U.S.

Leave a Comment

Normandeau Associates, an environmental consulting firm based in New Hampshire, notified the New Hampshire Attorney General of the theft of a laptop with an encrypted employee database. The theft occurred in 2008, and the laptop was recovered in February 2009, but Normandeau did not learn of the problem until June 2009, at which point they notified 277 employees in New Hampshire. As they explain (pdf):

In June, 2009, Normandeau learned that one of its laptop computers had been stolen from the home of a Normandeau employee in November, 2008, and later returned in February, 2009. The password protected laptop contained an encrypted employee database with personal information, including names, social security numbers, and bank account numbers of past and present Normandeau employees. The perpetrator required specific computer software to access the encrypted database in its existing fonnat on the laptop, and it is unknown if access was actually made.

The local police were notified about the theft and Normandeau conducted an internal investigation. Nonnandeau also consulted with a computer forensic analyst, but was unable to detennine if unauthorized access to the database actually occurred. There is no evidence of misuse of the personal information.

[...]

Normandeau has policies that prohibit personal information from being downloaded onto its laptop computers. In this instance, the database was temporarily stored on the laptop during restorative maintenance to the company’s network, and contrary to company policy, not thereafter removed. The company took action against the responsible person for unintentionally failing to remove the database containing the personal information as required by company policy. No further precautionary actions were required to prevent similar breaches.

Posted by Nodrog at 10:01 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)