I've Been Mugged Blog

Thanks to Jonathan Feeley for the alert about this Boston Business Journal article:

"... a laptop containing the personal information of thousands of Home Depot employees is missing after it was stolen from a Massachusetts worker's car... the Atlanta-based home improvement retailer said it is confident that the personal information was not the thief's target."

Network World reported that the data breach affected 10,000 Home Depot employees. Apparently, the laptop was stolen from a car while parked at a residence. The Home Depot has not disclosed the city or town where the data breach occurred. Was the employee fired? I hope so but the company hasn't disclosed that either. I guess that neither the company nor this dumb-a$$ employee studied the Data Breach Analysis flow.

Seriously, companies need to do more about data security when employees store massive amounts of sensitive data on a laptop which they bring home, on vacation, and leave in a highly insecure location like a parked car. It's very easy to find the long list of companies, universities, accounting firms, medical plans, hospital, and government agencies that have suffered data breaches via laptop theft. Here's a partial list of laptop only breaches with the date and number of records stolen/exposed:*

• Univ. of California at Berkeley: March 2005: 98,400
• MCI: April 2005: 16,500
• California Department of Health Services: April 2005: 21,600
• Oklahoma State Univ.: April 2005: 37,000
• Colorado Health Dept.: May 2005: 1,600
• U.S. Department of Justice: May 2005: 80,000
• Kent State University: June 2005: 1,400
• Eastman Kodak: June 2005: 5,800
• Bank of America: June 2005: 18,000
• Ohio State Univ. Medical Center: June 2005: 15,000
• Univ. of Florida Health Sciences Center: August 2005: 3,851
• J.P. Morgan Chase & Company: August 2005: undisclosed
• Bank of America; September 2005: undisclosed
• Univ. of Tennessee Medical Center: November 2005: 3,800
• Boeing: November 2005: 161,000
• First Trust Bank: December 2005: 100,000
• Ameriprise Financial; December 2005: 260,000
• Univ. of Washington Medical Center: January 2006: 1,600
• Ernst & Young (UK): February 2006: 38,000
• Mount St. Mary's Hospital: February 2006: 17,000
• University of Northern Iowa: February 2006: 6,000
• Metropolitan State College: March 2006: 93,000
• Verizon: March 2006: undisclosed
• Ernst & Young (UK): March 2006: undisclosed
• Fidelity Investments: March 2006: 196,000
• Boeing: April 2006: 3,600
• Aetna: April 2006: 38,000
• Mercantile Potomac Bank: May 2006: 48,000
• M&T Bank: May 2006: undisclosed
• Ernst & Young (UK): June 2006: 243,000
• Buckeye Community Health Plan: June 2006: 72,000
• YMCA (RI): June 2006: 65,000
• Union Pacific: June 2006: 30,000
• ING: June 2006: 13,000
• Equifax: June 2006: 2,500
• Armstrong World Industries: July 2006: 12,000
• Toyota (TX): August 2006: 1,500
• PSA HealthCare: August 2006: 51,000
• U.S. Dept. of Transportation: August 2006: 132,470
• Chevron: August 2006: undisclosed
• Williams-Sonoma: August 2006: 1,200
• Diebold: August 2006: undisclosed
• General Electric: September 2006: 50,000
• Camp Pendleton Marine Corps Base: October 2006: 2,400
• T-Mobile: October 2006: 43,000
• Gymboree: October 2006: 20,000
• Starbucks: November 2006: 60,000
• Notre Dame Univ.: January 2007: undisclosed
• North Carolina Dept. of Revenue: January 2007: 30,000
• St. Mary's Hospital (MD): February 2007: 130,000
• Los Angeles County Child Support Services: March 2007: 243,000
• Caterpillar: April 2007: undisclosed
• Pfizer: June 2007: 17,000
• Verisign: August 2007: Undisclosed
• Connecticut Dept. of Revenue: August 2007: 106,000
• AT&T (TX): August 2007: undisclosed
• Gap: September 2007: 800,000

Dig deeper into thses breaches and you'll learn that often a company employee, subcontractor, or accounting firm employee had a laptop stolen off company premises. There are so many data breaches to learn from. It seems silly to store massive amounts of sensitive data on a single laptop. (Note the repeat offenders in the above list, too.) You'd think that companies would learn from the mistakes of others and tighten their data security processes and increase employee training!

Learn more about the sensitive data companies archive about customers, employees, and former employees.

* Source: Privacy Rights Clearinghouse