Tuesday, October 02, 2007

Falling into the Gap

So, what in the world was someone doing with files that contained 800,000 Social Security numbers on a personal laptop. In an unencrypted file, no less.

If you haven't seen the news, Gap announced late last week that someone had swiped a laptop that held the personal application of some 800,000 of their job applicants. The laptop belonged to an employee of outsourcer that was managing applicant data for Gap.

Storing data without encrypting it to protect it from hackers is contrary to Gap's agreement with the third-party vendor, Gap said Friday.

I can image that's true, but the vendor was apparently a little loosy-goosy about things. This will surely harm the reputation of the vendor, whose name will no doubt be "outed" shortly. I would suspect that a couple of heads will role - whoever designed the database, whoever's in charge of data security, et al.

The schnook whose laptop was stolen may or may not be in any way responsible for the fact that he/she had all this juicy data on his/her laptop. Maybe the rank and filer was violating a policy that said that you couldn't download this data. Maybe it was a case of circumventing processes and protocols for nefarious purposes. Maybe it was just a case of "I'm need to analyze this applicant data to see how many males between the ages of 18 and 20 applied for part time work in Columbus, Ohio". They didn't want or need info that was sensitive, it just came in the package. Click "Open" or "Save". Oh, why not click "Save." That way I'll have the data I need so I can do my work on the plane.

The schnook may, of course, be the one and only sacrificial lamb. We've certainly seen that happen. Bah....

"What happened here is against everything we stand for as a company," said Gap Chairman and CEO Glenn Murphy. "We're reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again."

Gap better be "reviewing the facts and circumstances". One of the fallouts of our regulation-happy world is Sarbanes-Oxley. The not so fine print on SOX requires that you not only have to keep your internal nose clean with respect to information access, you need to ensure that any third-party outsourcers you hire have security in place to make sure that "sensitive data" is protected. (I'm no database-security guru, but it seems to me that someone should have toggled some type of attribute switch that prevented such sensitive info from being downloaded from wherever it lives.)

So, there's obviously a gap here that someone at Gap might fall into. Did they take enough precautions with their third-party vendors? Obviously, they can't be in there everyday checking to see what's on Joe Blow's laptop. But I'll betcha anything that the third-party vendor was required to demonstrate to Gap and all their other customers that they have all sorts of checks and balances in place.

And just so everyone believes them, they probably used an auditor to come in and attest to the fact that they do have all these checks and balances in place AND working.

Which means there's probably going to be an auditing firm on the hook for not having done a particularly good spot check on the Joe Blows of the third-party world to make sure they weren't leaving unencrypted data lying around.

Gap is notifying the affected applicants and offering a year of free credit monitoring services with fraud resolution assistance. The company has also set up a 24-hour help line.

Think of all that data about us that's floating around in hyperspace. We - fingers crossed - keep believing (without thinking too much about it) that all this information is safe. People talk about mission critical data. From a personal point of view the Gap applicant data is certainly mission critical to each applicant's personal mission of staying financially solvent, and keeping their identity and reputations intact.

With all the hoopla about information security, it's amazing that a company would be so lax about data like this. On the other hand, when it all comes down to human error and judgement.....

The winners here: any companies that deal with information security and process controls products and services; third party job application managers that aren't the one that's been caught out; auditors that aren't the one that audited the bad-news third party vendor.

The losers:  obviously the third party vendor and their auditor (if any). Gap (whether or not they did everything they could to ensure that the third party was doing its job). And, obviously, the 800,000 job applicants who are now worried about some evil-doer using their identity to set up a parallel life 1000 miles away. All in exchange for a shot at a job that came with a discount on chinos...

------------------------------------------------------------------------------

Quotes used in this post is taken from an AP article by Rachel Konrad, which appeared in The Boston Globe.

No comments: