Latest 'lost' laptop holds treasure-trove of unencrypted AT&T payroll data

Latest 'lost' laptop holds treasure-trove of unencrypted AT&T payroll data
Submitted by Paul McNamara on Thu, 06/05/2008 - 6:42am.
It's just another in a long line of stolen laptops ... unless you work in management at AT&T and you're worried about your social security number falling into the hands of identity thieves. Or, you're worried that your coworkers might find out how much -- or how little -- you actually earn.
While AT&T has declined to disclose the number of management employees put at risk by the May 15 theft from an employee's car, one manager who is among them tells me he knows of others located throughout every corner of AT&T's vast empire in the U.S. "I have found one individual who was not impacted," says the manager, who asked not to be named. "This is probably big, but not everyone."
"I'm very disappointed in my company," he adds. "Eight days passed before we were notified ... and it took up to another 10 days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch."
I've asked AT&T for comment. At the end of this post is a long excerpt from a Q&A the company provided to employees, who learned of the breach via an e-mail, which reads in part:
"This is to alert you to the recent theft of an AT&T employee's laptop computer that contained AT&T management compensation information, including employee names, Social Security numbers, and, in most cases, salary and bonus information. ... We deeply regret this incident. You will soon hear about additional steps we're taking to reinforce our policies to safeguard sensitive personal information and ensure strict compliance in order to avoid incidents like this in the future."
Regrets were not enough to allay the anger of this manager.
"It is pathetic that the largest telecom company in the world -- with more than 100 million customers -- doesn't encrypt basic personal information," he says.
Failure to encrypt and otherwise better protect such data is inexcusable at this point in time, agrees Kelly Todd, a staff member at attrition.org, a security site that maintains a database of data-breach incidents.
"Lack of encryption of personal data is generally troubling, especially when the data is being stored on any mobile device with a 'steal me' bulls-eye on it," says Todd. "According to part of the AT&T e-mail, 'It was not encrypted, but the laptop was password protected. AT&T is currently in the process of encrypting such systems.' Good for them, but larger companies can sometimes have tens of thousands of systems to identify, plan for, and then execute an encryption process. It seems to me that they should have been 'in the process' a year ago.
"Even more troubling is that AT&T mentions that the laptop was password protected in their letter," he adds. "It might make some people feel better, but just password protection alone is generally considered a security joke."
The AT&T manager whose data was exposed sees an even larger issue in play here.
"I receive company internal e-mails reminding me to contact our legislators about relieving the company of the burdens of regulation," he says. "What happened here shows the company isn't ready to have those burdens lifted."