Disk Encryption: PF Chang Reports Possible Employee Data Breach.

PF Chang’s China Bistro has notified the NH Attorney General’s office that stolen equipment may lead to a breach of employee information.  Data encryption software like AlertBoot endpoint security was not used, it appears, although password protection was in place.


Databreaches.net reveals that PF Chang set up http://www.notifyinformation.com/Faq.aspx in order to provide information regarding the data breach.  Oddly enough, it’s only in English, although the material filed with the NH Ag shows breach notification letters in English and Spanish.


What Type of Equipment?



PF Chang hasn’t revealed what type of device was stolen (was it a laptop?  External disk drive? USB memory stick?).  What has been revealed at this point is that it was electronic equipment of value that could store employee information; more specifically, names, dates of birth, and SSNs of 73 residents of New Hampshire (although I suspect it may affect even more employees.  PF Chang’s China Bistro has a nation-wide presence with 350 outlets under the PF Chang and Pei Wei restaurant names).


It was also not revealed where the theft took place, although it was noted that the company discovered the theft “within an hour of the incident.”  The password to the password-protection was not revealed to the thieves.


I’d say that signs point to the stolen electronic device being a computer: to begin with, it has to be something that’s used frequently (theft of devices like backup drives are not usually found within an hour of their theft, for example).


And, it used password-protection. Not that password-protection is unavailable on, say, portable hard disk drives.  However, it’s more common on computers than other devices.


Plus, I figure that a company that’s willing to go around installing password-protection on external drives is probably security-oriented, and would have soon realized that password-protection always takes a backseat to data protection using encryption software.


Secondary Damage



While the initial objective of the theft was probably stealing the device, it does not preclude the thief from attempting to gain access to it.  And while the presence of password-protection does provide some comfort, it’s far from guaranteed that the information will not be accessed.


On the other than, the use of encryption comes much, much closer to that guarantee than not.


Related Articles and Sites:
http://doj.nh.gov/consumer/pdf/pf_chang.pdf
http://www.databreaches.net/?p=9749
http://www.slate.com/id/2218402/



Comments (0)


Let us know what you think