ABM Industries — a facilities services contractors that operates across the US — has notified the New Hampshire Attorney General that a break-in into its Atlanta offices has triggered a data breach, affecting 91 employees in NH alone. The use of hard disk encryption like AlertBoot would have been advisable in this case, seeing how one of the stolen items was a computer that stored tax reporting information.
Break-in in March, Notifications in April
The break-in occurred on March 5, 2011 but the breach notification letters were not sent until April 15, 2011. The reason for the month-long delay was laid out by ABM as a request by the Cobb County Police Department, which believed going public with the breach could impede their investigation.
It appears to have worked somewhat: a suspect was arrested, although it’s implied that there was at least one other person involved; however, stolen items were not recovered.
The notification letter specifically mentioned the breach involved names and Social Security numbers. It also noted that the computers with the information were not targeted specifically, and were stolen along with televisions, mobile telephones, and other electronics. Financial account information was not included.
Was Encryption Software Used?
ABM had this to say:
The computer in question is equipped with a continuum of specialized security protocols to deter unauthorized access to the tax reporting information, as are the related programs and files.
It’s amazing how some companies can write so many words without telling us anything. What does the above mean? Have they installed desktop data encryption, under the premise that the unlikely theft of the desktop computer would incur a data breach, seeing how it was holding tax information?
Or did they opt for password-protection at every stage, from the moment the computer boots up to starting up the software that will read the files, to the files itself?
A combination of passwords and encryption? Something else? It’s hard to tell. Generally speaking, companies that used encryption on computers that were stolen tend to go ahead and state that their computers were, well, encrypted.
On the other hand, I’ll refrain from assuming that ABM didn’t use encryption: I’ve seen enough cases where a company used encryption to protect their data, had a computer stolen, and still resorted to the tortured, circumspect language characteristic of member in the legal profession.