in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software Not Installed On Stolen Eisai Laptop

What is up with medical organizations these days?  Eisai Inc. has alerted the Attorney General of New Hampshire that a stolen laptop contained the information of the company's employees.  The laptop itself is password-protected, but data encryption software like AlertBoot endpoint security was not used to protect the contents.

Laptop Stolen from Employee's Car

The breach occurred on October 21, when a laptop was stolen from an employee's car.  The incident occurred in New Jersey but the letter to the AG states that 27 New Hampshire residents were affected.  A file in the laptop contained names, addresses, and Social Security numbers of employees (past and present) as well as "applicants."  It's not quite clear what kind of applicants they're referring to (I take it to mean job applicants).

More Breach Announcement Letters to Come?

In my opinion, there is good reason to believe that this breach involves more than the 27 NH residents above:

  1. Generally, employee information is not saved on separate files, or at least, not as different files separated by state residence.  Chances are the 27 employees above were a subset of a larger list.  It just happens that they're the ones being mentioned to the New Hampshire AG; other state residents don't really figure into the picture when you're contacting a particular state's Attorney General.

  2. Eisai's website has an interactive "career opportunities" page which allows one to search for job opening within the company.  While they subdivide the US by regions and whatnot, they also list NJ, MA, MD, PA, NC, CA, and D.C. specifically as locations with possible job openings.

    If the lost computer contained some kind of master list, I would imagine people in these states would be affect as well, not to mention residents of bordering states as well.  (NH, while not listed above, lies less than 10 miles from Andover, MA where Eisai has a research institute.)

    Also, considering Eisai's US subsidiary is headquartered in New Jersey, I'd say an argument of a master list being lost is pretty persuasive.

The lack of file encryption on the sensitive file means that there is a potential for affected employees and applicants to become ID theft victims.  Eisai has expressed doubt, seeing that there was "no reason to believe that any personal information has been or will be accessed or misused."

I would argue, though, there is there is no reason to believe that it will not be accessed or misused.  The times, they are a-changin', and today's petty thieves don't seem to be looking for just a quick turnaround.

One thing to congratulate Eisai about: they didn't wait 6 months to make the breach public, unlike another medical organization that has recently been in the news over a data breach.

Would Encryption Have Made A Difference?

Most probably, yes.  As far as I know, state laws in NJ, MA, MD, PA, NC, and CA exempt a company from publicizing a data breach if the data in question was protected with encryption software. (Not sure what the status is for D.C.)

On a more practical and employee-centric level, data encryption would have pretty much guaranteed that the information would be inaccessible to the laptop thief, which is not a claim that anyone is willing to make about password-protection.  Indeed, this is probably why the state exemptions above were given for encrypted data.  This would probably ease the minds of employees better than any credit monitoring offered by the company.


Related Articles and Sites:
http://www.databreaches.net/?p=8449
http://doj.nh.gov/consumer/pdf/eisai.pdf
http://www.eisai.com/job.asp?ID=145
http://www.csoonline.com/article/221322/CSO_Disclosure_Series_Data_Breach_Notification_Laws_State_By_State

 
<Previous Next>

Full Disk Encryption: AZ Attorney General Also Investigating Health Net

Laptop Encryption Software: Whole Of Belize Has Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.