Computerworld - AT&T Inc. and Maryland's Department of the Environment have become the latest organizations to find out firsthand why security analysts for some time now have advocated the use of encryption to protect sensitive data on laptops and other mobile devices.
A laptop containing unencrypted personal data on current and former employees of the former AT&T Corp. was stolen recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, names and other personal details.
A spokesman for AT&T today confirmed the July 27 incident and said it affected only people who were employees of AT&T before it was acquired by SBC Communications Inc. in 2005 and became AT&T Inc. No data involving employees of SBC, BellSouth or Cingular was affected, the spokesman said.
According to the spokesman, the stolen laptop contained information about AT&T Corp.'s benefits plans and was password-protected. He did not say whether the person from whom the laptop was stolen was authorized to carry the information on the device.
But he did note that the data "was not stored in a way that was consistent with AT&T policies." Those policies call for encryption of sensitive data as well as "physical security measures." He declined to elaborate.
AT&T learned of the theft on July 31 but did not begin notifying affected employees until Aug 20. The company needed that time to identify exactly whose information was involved and locate their contact information, he said. "The various files that were stored on the laptop were in a variety of formats -- none of which contained up-to-date addresses," the spokesman said.
All the individuals affected are being offered a year's worth of free credit monitoring services, he said.
Tony Walton, a former AT&T Corp. employee based in Gosport, Ind., was one of those who got a notification letter from Dorothy Attwood, the company's chief privacy officer.
"I'm kind of pissed off about it," said Walton, who expressed frustration at what he claimed was AT&T's refusal to divulge more details about the incident. The letter described the theft as a random incident. But Walton said he would have liked to know more about the circumstances under which the laptop was stolen to gain a better understanding of the risk to his personal data.
Walton said he called a toll-free number provided by AT&T and was told that the data on the laptop had been encrypted and he had nothing to worry about. "I just don't like the way they are handling it. They just won't tell us anything," he said.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
