Andy Frain Services has reported a breach to the California Attorney General’s Office. The breach reportedly occurred on May 2, and their letter to those affected begins:
We are writing with important information regarding a recent security incident. The privacy and security of the personal information we maintain is of the utmost importance to Andy Frain Services, Inc. (“Andy Frain Services”). As such, we wanted to provide you with information about the incident, explain the services we are making available to you, and let you know that we continue to take significant measures to protect your information.
So what happened? If they take “significant measures,” I might expect to see some unusual or sophisticated attack, but no. It seems that an employee’s laptop with unencrypted names and Social Security numbers was stolen from her car. Not surprisingly, the laptop was (only) password-protected. template. Their notification did not indicate how many individuals had their names and SSN on the stolen device or whether the employee violated any policies. Nor does it indicate whether there was any disciplinary actions taken with respect to the employee.
You can read the template of their full notification letter here. It includes an offer of one year of complimentary services with an Experian product. Those affected can call a phone line set up to handle inquiries about the incident and steps that can be taken to protect themselves.
Not knowing anything about Andy Frain Services, I googled the firm and learned that they provide integrated security services for events. They have more than a dozen locations in the U.S., as well as locations in China, England, and Canada.
But it was the google search results that surprised me the most. Under the link to their web site was Google’s warning, “This site may be hacked.”
DataBreaches.net emailed Andy Frain Services on September 4 through their web site to ask them if they were aware of the Google warning that they might have been hacked and whether there was any connection between that message and the laptop theft breach they had reported to California. No answer was received and the firm did not respond immediately to a voicemail left for them tonight. If a response is received, this post may be updated.