Stolen laptop puts Starbucks workers' IDs at risk

Story Published: Nov 24, 2008 at 9:16 PM PST. KOMO News Channel 4.
SEATTLE -- Starbucks Corp. has issued a troubling e-mail to more than half of its workforce, alerting workers a stolen laptop could put the personal information of 97,000 employees in jeopardy. 

"We are writing to inform you of a recent incident that may have involved a breach of your private information (including name, address and social security number)," stated the e-mail sent out on Monday.

According to Starbucks, the laptop was stolen back on October 29 at an unspecified location (Chula Vista, CA). It's unclear why the company waited four weeks to notify its employees. 

So far, there's no indication the data has been misused. Still, the company is advising employees to monitor their financial accounts, and be on the lookout for signs of identity theft.

This is not the first time Starbucks has had employees' personal information compromised due to a laptop theft. 

Two years ago, the personal information of more than 60,000 employees and contractors were compromised when four computers disappeared. At the time, the company said it was implementing a policy that forbids putting critical data such as social security numbers on mobile equipment.

On Monday, on a popular blogging site for Starbucks workers, comments echoed nervousness from those who got the emailed warning.

"This is very frustrating! I try so hard to watch who I give my personal information to and the company I work for doesn't seem to have any security guarding my information," one commenter wrote. 

To help those 97,000 workers keep on the lookout for identity theft, Starbucks is providing them with a full year of credit watch service for free. 

Starbucks could not be reached for comment.

IT security policy enforcement struggles

Dan Raywood | October 30, 2008

Companies are struggling to come to grips with the basics of vulnerability management, says Chris Schwartzbauer, vice president of development and customer operations at Shavlik Technologies.

During a presentation at the PCI Europe conference in Brussels, Schwartzbauer said organizations often seem to be working in the dark when it comes to enforcing IT security policy and compliance with external regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27002. He added that security administrators are recognizing the need to develop a meaningful overview of what machines are on and connecting to their network.

“You can't secure what you don't know about, and unfortunately the unknowns are many," Schwartzbauer said. "IT administrators are often unaware of all of the servers live on their network, let alone their relevance or desired configuration, mobile computers are missed during scheduled vulnerability checks, old or unauthorized account privileges persist. And virtualization has made it all too easy for users to ‘create' more machines that must be protected.”

In his remarks, he said organizations are challenged by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time-consuming to interpret, and a reticence to automate where manual processes are no longer adequate.

“Decision makers, the CIO, security and risk managers assume the basics are resolved because the investment has been made in sophisticated security strategy and technologies,” he said. “But it is in the mundane processes, the policy and configuration management, where the vulnerability gaps are left wide open.”

He continued: “Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.”

California laws will increase penalties for patient data snoopers

Dan Kaplan | October 01, 2008

California Gov. Arnold Schwarzenegger on Tuesday signed two bills into law that will allow the state to impose harsher penalties on hospital workers who inappropriately access patient data.

The bills -- authored by Democratic Sen. Elaine Alquist and Assemblyman Dave Jones -- hold health care providers responsible for protecting patient data from unauthorized access, and sets fines for violators of up to $250,000 per incident.

The legislation was spurred on by a March report in the Los Angeles Times that staff at the UCLA Medical Center snooped on the medical records of Britney Spears and California First Lady Maria Shriver.

"Medical privacy is a fundamental right and a critical component of quality medical care," Schwarzenegger said in a statement. "Repeated violations of patient confidentiality are potentially harmful to Californians, which is why financial penalties are needed..."

According to the governor's office, existing laws made it difficult to impose and enforce fines unless a district attorney or the state attorney general got involved.

Privacy advocates lauded the bills' passage.

"Your medical privacy is one of those areas where once the information is out, it's very difficult, if not impossible, to get it back," says Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse. 

"With financial privacy, while it's bad when there's a disclosure, most of the time you're able to recover from it," he told SCMagazineUS.com on Wednesday. "Medical privacy issues are different, particularly with someone who may have a condition or a disease that may cause embarrassment. That's something you're going to have to live with for the rest of your life."