Tuesday, June 25, 2013

A real Gap in confidential information procedures

This isn’t the first time that confidential employee info has fallen into the gap at Gap.

I had recalled “the case of the stolen laptops” of a few years back, and sure enough, in 2007 there was this fiasco:

An unnamed contractor is being blamed for a data breach at Gap Inc. that has compromised the data of about 800,000 people who applied for jobs with the U.S. clothing retailer.

On Friday, Gap said the data had been stored on two laptop computers that were stolen from the vendor's offices. Although the job applicant information on the laptop -- which included Social Security numbers -- was supposed to be encrypted, it was not. (Source: PC World)

So by Gap standards, the latest is nada much – and probably would have been nada even less if it hadn’t involved actor Richard Dreyfuss’ daughter. (Whose name may actually only mean something to old geezers like me who remember him in The Apprenticeship of Duddy Kravitz. More recently, he played a mean – in both senses - Dick Cheney in W.)

Anyway, the fiancé of Emily Dreyfuss ordered a tie and pocket square  from Banana Republic, which is part of the Gap. (Tie and pocket square: how Ralph Lauren-Downton Abbey is that? Okay, okay,  not all that Ralph Lauren-Downton Abbey. The use of the term pocket square is at least a recognition that nobody actually blows his nose on a handkerchief these days, and the use of the pocket square itself is an acknowledgement that every navy blue blazer out there could do with a spot of color.)

What the couple got in the mail instead on Thursday would make an identity thief giddy: the confidential files of about 20 former employees, including Social Security numbers and W4 tax forms. (Source: Boston.com)

Plus hand-written resignation letters and performance reviews – not all that confidential, but who wants those sorts of innards exposed.

The mix up occurred because of a labeling error. Apparently confidential info is shipped to whatever elephant’s graveyard it’s stored in in the same type of bag they use to send out ties and pocket squares.

Fortunately, the confidential info didn’t fall into the hands of an identify thief. Not that it couldn’t have happened. After all, there’s no doubt that rogues who want to pose as upstanding members of Martha’s Vineyard society, and con there way in there, could be duding themselves up with ties and pocket squares from Banana Republic. (I’m sort of envisioning Michael Caine here, not Richard Dreyfuss. But mostly I’m thinking of my former neighbor “Clark Rockefeller” – psychopathic impersonator extraordinaire. But Clark didn’t exactly steal anyone’s identity, like Matt Damon in The Talented Mr. Ripley – he just made one up out of whole, very fine cloth.)

No, the information fell into the understanding and safe hands Emily Dreyfuss:

‘‘We totally laughed,’’ Dreyfuss, 29, said on Friday from her home in Cambridge, Mass.

Dreyfuss, who runs the home page and also writes for technology website CNET said she didn’t look through everything.

‘‘I got a queasy feeling and felt like I should stop looking at this,’’ she said.

I admire her restraint. While I certainly wouldn’t have done anything with the information, other than let the Gap know that I had it, I don’t know if I would have been able to resist grazing through those performance reviews and resignation notes. Although maybe I would have. At the Writers’ Room of Boston – where I am writing this post -  we used to ask applicants for our needs-based fellowships to provide an explanation of why they had financial need. Some sent in the most incredible detail about income and expenses, that when reading the applications I got Emily’s “queasy feeling” myself. So we stopped asking for any backup, and just made it clear that the fellowships (which aren’t monetary: they’re a year’s free membership in The Room) are based on genuine need. We want them to go to poets who are adjuncting, not corporate lawyers who are trying to get some filler credentials to list on their artistic c.v.’s.

Mostly people self-select, and you really don’t know what people’s financial circumstances are, so we let it go at that.

But I did toss one applicant into the “no” pile when I saw her address – which I zillowed: $2M+ – and saw on her application that she worked for one of the major management consultancies. (If you’re thinking “Mitt Romney”, you’re not far off the mark.)

Another applicant self-unselected herself when she told me that her need was based on the fact that she had not yet taken her teen-aged children on a trip to Europe.

But, I digress….

Back to the story at hand, the receipt of the Gap info was, bizarrely, the second close encounter – sorry, couldn’t resist –that Emily had with someone else’s personal information in the last couple of months:

Here’s the crazier part: this is the second time in three months that confidential employment and financial information has accidentally been sent to us. Two months ago an Ivy League university mixed up some letters and sent us the employment records for a new professor. They meant to send my fiancé the final documents about his new post-doctoral position. (Source: EmilyDreyfuss on Tumblr)

As Emily points out in her post, these breaches aren’t the digital ones we’ve come to expect, with bad guys electronically swooping in and scooping up all sorts of our personal info and using it to buy iPads and Manolos. These errors are “old school”: slapping the wrong label on an envelope.  Human error – these days who’s got time to double check?

But mixing up the ties and pocket squares on order, and sending the pink to Cambridge instead of the green, is an annoyance for the recipient. It doesn’t do anybody any harm. Packaging up confidential info, on the other hand, could do someone plenty of harm. Or embarrassment if, instead of alerting the Gap, Emily had been the nasty sort who went to town posting those resignation letters and performance reviews.

Bet the Gap’s working on a new process for sending out confidential files.

-------------------------------------------------------------------------------

This episode got me to wondering about whether we should be more worried about our information getting out old school-wise, or through digital means. So I googled “physical vs. digital data breach”.

The second item on the list – Worst Data Breaches of 2012, on a site called DABCC, a tech news/aggregator site – looked interesting, so I clicked on it.

I have to say that I was bit weirded out when what came up was a piece that I’d written for a client.

So, if you’ve ever wondered just what it is I do for a living, given my complete and utter lack of interest in making even the most paltry attempt to monetize Pink Slip, this is it.

No comments: