On February 23, a laptop assigned to a Corporate Human Resources Department employee of Catalent Pharma Solutions was stolen from vehicle in New Jersey.
The laptop contained information on 2,656 current and former employees, including their names, addresses, Social Security numbers, and salary information. The laptop was reportedly password-protected.
Catalent’s draft of their notification (pdf) to affected employees states, “We want to assure you that we treat all employee information in a confidential manner and are proactive in the careful handling of such information. We have procedures in place to maximize the security of confidential information.”
If that’s the case, why were such data left in a vehicle? Did the employee violate the company’s procedures? There is no mention of any disciplinary action taken with respect to the incident. And were the data encrypted or was there just a weak login password for the laptop?
Although the notification to the Maryland Attorney General filed by its lawyers states, “As set forth in the attached letter, Catalent has taken numerous steps to protect the security of the personal information of affected individuals,” there are no steps set forth in the attached letter at all, other than an assertion that they are proactive and a repetition of standard advice about being alert, placing freezes, etc. Catalent’s draft letter to employees makes no mention of offering them any free services in the aftermath of the breach.
If my cybertone sounds a bit “snarky,” it’s because it is frustrating that after all this time and after so many cautionary tales, we are still seeing laptops with sensitive data left in vehicles.