Stolen laptop puts Boeing worker data at risk

[InfoSec News <alerts () infosecnews org>]

http://www.suntimes.com/business/170185,CST-FIN-boeing13.article

BY FRANCINE KNOWLES
Business Reporter 
December 13, 2006

In a disturbing case of deja vu, 382,000 Boeing Co. retirees and active 
workers are at risk of identity theft and credit-card fraud because of 
the theft of a company laptop computer.

The files on the computer contained their names, Social Security numbers 
and, in most cases, also home addresses, phone numbers and birth dates 
as well as salary information on some.

The theft, which Boeing confirmed Tuesday, is the third such incident in 
the past 13 months in which a laptop computer containing personnel 
information was stolen, and it took place despite safeguards the company 
put in place.

This time around, the huge number of people affected includes mostly 
retirees.

As was the case in the other situations, information on the laptop 
wasn't encrypted.

The latest theft took place in the first week of December, but Boeing 
has yet to notify affected retirees and employees. They will be notified 
shortly either online or by mail, Boeing spokesman Tim Neale said. The 
company is in the midst of putting the necessary infrastructure in place 
to handle questions that are anticipated, he said, including posting 
information on a Web site.

The theft took place after an employee left the laptop unattended, and 
returned to find it gone, Neale said. He would not say where the theft 
happened, but noted no proprietary, customer or supplier data was on the 
computer.

In November 2005, a Boeing laptop containing information on roughly 
160,000 current and former Boeing employees was stolen. In that 
incident, bank account information was also on the computer. Also, last 
April, a laptop containing information on 3,600 employees and retirees 
was stolen.

The latest incident represented a violation of company policy, Neale 
said.

In the wake of the earlier thefts, Boeing has required that staff who 
work with personnel data take it off the hard drives of their computers. 
Managers were responsible for making sure that happened, Neale said. 
Employees who need to work with personnel data are now required to work 
off of the firewall-protected server, and if there is a need to download 
such information to a laptop hard drive, the information is supposed to 
be encrypted, he said.

"It's very disturbing to us when things like this happen, and there are 
certain steps you can take right away ... but we realize we need to go 
above and beyond those," Neale said.

He noted the company has a goal of replacing Social Security numbers 
with other types of identifiers where possible to limit the number of 
data bases that have that information. Boeing also is working on putting 
software in place that automatically encrypts personnel data, he said.

Employees affected by the latest theft will be notified and provided 
with information on how to sign up with Experian Co., a 
credit-monitoring service. Boeing will pay for three years of 
monitoring, Neale said.

Regarding the earlier thefts, he said "we haven't had any indication 
that anybody has misused the information, but that said, we recognize 
that data has been lost, and it's important to do what we can to make 
sure people are protected."


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn