Recently, a Baxter human resources employee based in the U.S. was
attending a human resources conference in Chicago, Illinois.
[Evan] Obviously, human resources personnel handle very sensitive
information. Just a couple of weeks ago, the human resources
department at a company I consult for sent a spreadsheet containing
sensitive personal information to a group of unauthorized persons.
On June 24, 2008, a thief entered the hotel room of the employee while
that employee was attending the conference, and stole a laptop
computer belonging to Baxter.
Subsequently, we learned that two data files on the laptop contained
personal information, including names, social security numbers,
encoded information regarding background checks, and addresses of
certain current, former, and prospective U.S. employees.
[Evan] Unencrypted, I presume.
No customer or patient data was included in these data files.
The data files included personal information of roughly 6,900 people
Baxter has notified and is working closely with local law enforcement
officials to investigate this matter.
Additionally, we are developing policies and procedures to strengthen
our data security policies to reduce, if not eliminate, the risk that
data losses of this type ever occur again.
[Evan] Usually the best we can hope for is a reduction in risk. We
(information security personnel) are in the risk reduction business,
not the risk elimination business. We aim to bring residual risk to a
level that is acceptable to the business. Do you suppose that a
decision was made to not encrypt laptops at Baxter, or did they just
not understand (or identify) the risk?
We are notifying our employees whose information may have been or may
be compromised of this incident on Monday, July 14th by writing to
them at their last known addresses.
I want to assure you that we are taking this incident seriously and
taking steps to ensure that all of our data is as secure as possible.
[Evan] Ensuring that data "is as secure as possible" in the literal
sense is not feasible. Can Baxter live up to this statement? I don't
think any company can.
We deeply regret that this incident occurred.
On behalf of the entire Baxter organization and our dedicated human
resources staff, I want to express our deepest regret for this
unfortunate incident and let you know that we are doing everything we
can to address the situation and assist you
We do not know that this information has been accessed and misused.
The stolen laptop required a user to enter certain user credentials,
such as a correct username and password, in order to access the laptop
computer.
[Evan] Anyone with little skill can easily access the laptop without
the "certain user credentials" if the laptop is not protected with
encryption (and pre-boot authentication)
We have retained Kroll Inc., a New-York based risk consulting firm and
a global leader in data security, who has worked with other large
corporations under similar circumstances, to provide its ID TheftSmart
safeguards to you at no charge.
[Evan] It would have been a good proactive decision to have sought the
advice of a good risk consulting firm before this incident. Other
organizations should take heed.
You can reach the call center, toll-free, at
1-800-588-9839 , anytime Monday through Friday from 8 a.m. to 5
p.m. central standard time.
We have formed an Information Security Assessment Team, which will
assess our data security controls and recommend and implement steps to
further strengthen those controls to appropriately reduce the risk of
significant data loss, including restricting data access and requiring
the use of encryption tools.
[Evan] Good! Let's hope that the Information Security Assessment Team
is effective and remains an integral and regular part of Baxter's
information security program long after this breach is forgotten.
Please be assured that we take this issue seriously.
source: http://breachblog.com/2008/07/21/baxter.aspx
