Building materials supplier Lehigh Hanson notified the New Hampshire Attorney General on December 8th of a breach involving employee payroll data. The breach began with a former employee downloading data to take with him to a new employer. The downloaded data, however, turned out to be more than just the forms and templates the employee thought he was downloading. The data included files with Lehigh Hanson employee payroll information of current and former employees. When the employee started work with his new employer, a university, he uploaded what he thought was just forms and templates to the Web.
When Lehigh Hanson discovered that some of their corporate data was on a university’s server, they contacted the university and asked them to remove the data immediately. The university complied and informed them that there might be confidential information involved.
Lehigh Hanson reports that they then
… retained an outside law firm and computer forensics firm to investigate the matter and secure and remove any and all Lehigh Hanson data. The investigation found confidential information was included in the data downloaded to the server, but was unable to report whether or not any of the data, including the confidential information was accessed or acquired by a third party.
The files were exposed for approximately two months. The number of former and current employees affected was not reported.