AT&T and Maryland’s Department of the Environment have become the latest organisations to find out first hand why security analysts advocate the use of encryption to protect sensitive data on laptops and other mobile devices.
A laptop containing unencrypted personal data on current and former employees of AT&T was stolen recently, from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, names and other personal details.
A spokesman for AT&T confirmed the incident which took place in late July, and said it affected only employees of the former AT&T acquired by SBC Communications in 2005. No data involving employees of SBC, Bell South or Cingular was affected, the spokesman said.
According to the spokesman, the stolen laptop contained AT&T’s benefits plans information and was password protected. He did not say whether the person from whom the laptop was stolen was authorised to carry the information on the device.
But he did note that the data “was not stored in a way that was consistent with AT&T policies.” Those policies call for encryption of sensitive data as well as “physical security measures.” He declined to elaborate.
AT&T learned of the theft on 31 July but began notifying affected employees only on 20 August. The company needed that time to identify exactly whose information was involved and locate their contact information, he said. “The various files that were stored on the laptop were in a variety of formats - none of which contained up-to-date addresses,” the spokesman said.
All the individuals affected are being offered a year’s worth of free credit monitoring services, he said.
Meanwhile in an unrelated incident, Maryland's Department of the Environment (DoE) said in a statement that a laptop belonging to an employee had been recently stolen from a vehicle. The computer contained four state databases with personal information of licenses issued by various agencies. The data included Social Security numbers, names, addresses and phone numbers. According to the agency, the information on the computer was password protected but there was no mention of whether it was encrypted or not.
Affected individuals have been notified and all major credit bureaus have been alerted, the DoE said.