Topic: Hard Lesson in Google Data Breach  (Read 1012 times)

0 Members and 1 Guest are viewing this topic.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Hard Lesson in Google Data Breach
« on: July 11, 2008, 08:57:38 pm »
By Andy Patrizio
July 8, 2008


Google (NASDAQ: GOOG) has found itself in a number of privacy-related controversies, ranging from general user concerns over search records to its new Google Health site for storing personal medical records. But now some of its own employees face the threat of identity theft.

Last week the search giant revealed that on May 26, thieves broke into the offices of Colt Express Outsourcing Services of Walnut Creek, Calif., and stole several PCs containing the personal information of Google employees, along with employees of CNET Networks and other clients of the firm.

This wouldn't be a problem if it weren't for the fact that the data was not encrypted in any way, so the thieves can power up the PCs and get at all of the information.

Colt didn't have truly sensitive information, such as credit cards, bank records or PINs, but it did have names, addresses and social security numbers, more than enough to acquire a credit card under false pretenses. Google is now in the process of notifying States attorneys general and its employees about the breach.

Google ended its relationship with Colt on Dec. 31, 2005, but data from employees hired before Jan. 1, 2006, was still with the company. It would not say why.

Most data breaches come from lost or stolen laptops, but in the break-in at Colt's offices a number of desktop PCs were stolen. There was no answer at Colt's offices, and if the company's home page is any indication, there isn't much of a company left, either.

Google said it does check on the security processes for its outsource partners to insure they have proper data protections. Beyond that, it would only refer to a statement it has issued to all press: "We take the security of our employees very seriously and are taking appropriate measures to ensure that all affected Googlers are properly protected. No users were affected, and no Google systems were compromised."

Companies need to take the security precautions of their outsourcing partners as seriously as their own, said Avivah Litan, senior analyst for security with Gartner (NYSE: IT).

"The takeaway here is that a lot of companies think that in outsourcing their data processing or storage, you're off the hook or the scope of your security efforts is greatly reduced. What they don't do is due diligence on their outsourced service provider," she told InternetNews.com.

Targeting sensitive data?

Litan wondered if Colt was targeted because it had sensitive data. "In this case, if they are going after a set of computers, [the thieves] may have more information than we know about," she said. "They may know that company has sensitive employee data. So it could have been a deliberate attack on the data, not just the computers, in which case there is a much higher chance the data will be abused."

Companies are looking to outsourcing more and more, but need to realize that the buck stops with them, not the service provider, because it's their data, Litan went on to say.

"It's their customers, their employees," she said. "If they use an outsource service provider that doesn't use secure practices, that's their problem. You can't just throw the data over the fence and hope your problems go away," she said.
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Hard Lesson in Google Data Breach
« Reply #1 on: July 12, 2008, 10:01:30 am »
When you have physical access to the machines it is difficult to block you from having your way with the data.  With all the bad publicity from lost laptops and storage devices and other forms of security breaches hopefully these companies will start to clean up their act.

At least in regards to the Google company records that this 3rd party had stolen everything is 2 1/2 years out of date which limits the damage somewhat.  Also at this point it is unknown if the thieves were stealing computers or stealing data so how much at risk they are is unclear.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."