“Gap Inc. announced Friday that a laptop containing the personal information of about 800,000 job applicants was stolen from the offices of one of its vendors that manages data for the company.”
The laptop was not encrypted. Way to go. Part of the reason for the impressive total is Gap also owns Old Navy and Banana Republic. (The latter brand may inspire a few cracks about the information security approach used by the retailer.) Invariably adding insult to injury in these cases is the PR response:
The data on the laptop may not have been the motivation (unless there was a big sticker exclaiming “Danger! Confidential data, property of Gap Inc.”) but that does not help because: Either the criminals is 1. clueless and will simply resell the machine without peeking, in which case it is up to the next person to see what he/she just inherited, OR 2. is a professional and will try to sanitize the drive prior to resale, in order to hide the fact that it is stolen merchandise. It’s not a stretch to say that prior to wiping out the drive he/she may take a peek. In any case, how does the Gap conclude there has not been accessed or used improperly? Is there a new, alien technology in their possession to monitor ongoing access to a stolen drive? Did they run credit checks on all 800K applicants to check for signs of new -account fraud using the compromised identities?
Another fine addition to the excellent Hall of Shame maintained by PrivacyRights, the Chronology of Data Breaches going back to ChoicePoint in 2005. Current count stands at 166M– half the population of the US, including every child if there had been no overlaps. That web page could well serve as mandatory web-browser start page for CISOs and other influential officers of any organization tasked with protecting large amounts of user data.