According to a letter posted at the New Hampshire Attorney General’s website, TechCentral experienced a data breach in late August. Apparently, an employee’s laptop computer was stolen. Sensitive information was stored on the device, but data encryption like AlertBoot was not used to secure it.
Six NH Residents Affected – How Many More?
The stolen laptop contained sensitive information such as SSNs and credit card numbers. As stated, encryption software was not used but password-protection was in place. Readers of this blog already know why password-protection is not really “protection.”
Per the letter, six residents in New Hampshire were affected; it should be noted, however, that NH requires reports on how many of its residents were affected. Whether residents of other states were affected is outside the scope of its laws. Hence, knowing that six NH residents were affected does not shed a light on how many people were affected in total.
Now, TechCentral is a division of Henry Schein, a company that’s listed in the NASDAQ and has a market cap of nearly $6 billion. According to this page on informatica.com, the company has over 100,000 customers, although it’s hard to tell how many belong to the TechCentral division. However, I think it’s a good guess that the number of people affected across the US probably numbers in the hundreds as opposed to the single digits.
Not First Breach – Déjà Vu
This is not Henry Schein’s first data breach. According to datalossdb.org, the company saw a data breach in 2007. In that particular case, a laptop was stolen from a trade show in Chicago, although the computer belonged to the Financial Services division.
It parallels the above case, though, because 1) the stolen laptop contained personal information like SSN and 2) because the computer was not encrypted but did feature password-protection.
Which brings us to this question: has anything changed at the company in the past four years? In terms of deploying data security tools, that is. If not, they’re actually in good company. (Not that there’s anything good about it, but you get my drift….).
It behooves Henry Schein, if it hasn’t already done so, to coordinate the deployment of encryption tools across the company. 2011 is a different place from 2007, and the repercussions of losing sensitive data that was not adequately protected could be dire.