If you follow me on Twitter and thought I was mad at NBC Sports over their coverage of Formula One (F1) racing, that may pale in comparison to how some others may be feeling this week after they’ve received a breach notification letter from NBC Sports.
It seems that two of NBC Sports’ laptops were stolen from … wait for it… an unattended vehicle. The theft occurred in northern California on August 14. The laptops reportedly contained names plus at least one of the following elements: date of birth, driver’s license number, and/or Social Security number.
The letter to the New Hampshire Attorney General’s Office indicates that six New Hampshire residents were affected, but does not mention how many people, total, were affected by the breach. Nor does it indicate whether the individuals affected were employees or in some other capacity. No copy of the letter to those affected was included in their submission to the state, and their notification to the state does not indicate what, specifically, they are doing to mitigate risk of potential harm or to prevent a recurrence. They also omit any mention of whether the employee who left the laptops with seemingly unencrypted personal information in a car was violating any of their security policies.
Dare I say it? Their coverage of their breach is as lame as their coverage of F1.
And they need SSN’s for what reason? They aren’t in the credit granting business. There seems no due care for the sensitivity of data. Its not one laptop, it is two with probably redunant data which probably should have never been there in the first place.
For security of PII, all it takes is a little brain power. Assume you are being watched travelling to/from your car on a daily basis. if you carry laptops to your car, but not out, the crooks take note of it.
All of these breaches never heard of an Ironkey flash/thumb drive? Its a secure device – slap the wrong password it it 10 times in a row and it destroys itself. But thats a tedious security control and too much of a bother.
There is a serious lack of security practices and reprimands for violations. Another thing is that the personnel involved in these acts aren’t tracked, so the same practices may apply for the next company they work for.
The paperwork involved in a breach should be utterly painful. so those that eventually get through the paperwork fiasco will never want to go through it again.
They might need SSNs if these were employee data, but their letter doesn’t state whether these were employees’ data, contractors’, or what…