[Dataloss] [follow-up] Boeing fires employee whose laptop was stolen (fwd)

security curmudgeon jericho at attrition.org
Fri Dec 15 07:23:46 EST 2006



---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://seattlepi.nwsource.com/business/295982_boeinglaptop14ww.html

By JAMES WALLACE
P-I REPORTER
December 14, 2006

The Boeing Co. said Thursday it has fired the employee whose laptop was 
stolen with personal information about nearly 400,000 retired and current 
company workers.

Files on the stolen computer contained salary information, Social Security 
numbers, home addresses, phone numbers and birth dates.

A person with knowledge of the matter said the employee data was not 
encrypted as company policy requires once it has been downloaded from a 
server.

Jim McNerney, Boeing's chairman, president and chief executive, said the 
breach of company policy was so serious that some Boeing managers also 
will be disciplined.

"This latest incident resulted from a clear violation of our 
data-protection policy," McNerney said in an e-mail to all Boeing 
employees.

"We have very strict and clear policies and procedures about how employee 
information is handled," he wrote. "An employee, despite proper training, 
failed to comply with those requirements and as a result is being 
dismissed from the company."

McNerney said action will be taken against some Boeing managers.

"I also believe strongly that management must be held accountable when 
repeated failures like this occur, so the employee's management chain will 
be reprimanded."

Boeing has not identified the employee or where in the company the person 
works. Nor has Boeing said where the laptop theft occurred. The laptop was 
stolen earlier this month from the employee's car.

Even though the employee data was not encrypted, the laptop was turned 
off. That means the person who stole the computer would not be able to 
access the employee data without a password to open the computer once it 
was turned on.

Boeing is notifying the estimated 382,000 workers, mostly retirees, whose 
names were in the laptop. The company said it will pay for fraud 
monitoring services for the past and current workers whose names and 
personal information was in the laptop.

This is not the first time a Boeing laptop computer with sensitive 
employee information has been lost or stolen. There have been at least 
three such cases.

When a similar theft occurred last year, McNerney said, Boeing implemented 
an "aggressive, multi-phased plan to better safeguard employee 
information."

"But the best policies, procedures, encryption software and 
awareness-raising in the world can't force people to use them," he said. 
"It's a matter of leadership and individual responsibility. Cutting 
corners is never acceptable --especially when the trust of the whole team 
is at stake."

McNerney said investigators do not believe the latest incident was aimed 
at identity theft.

"Our investigations and security teams have been working hard with 
law-enforcement officials to investigate this crime," he said. "Based on 
what we know at this point, we believe this incident was the result of 
petty theft, not an attempt at identity theft. However, as our 
communications yesterday described, we have put in place a series of 
actions that assumes the worst case. We are doing everything humanly 
possible to recover the laptop and our data, and see that an incident like 
this doesn't happen again."

McNerney said he had received many e-mails from Boeing employees about the 
computer theft. They expressed "disappointment, frustration and downright 
anger" about the incident.

"I am just as disappointed as you are about it," McNerney said in his 
memo.

He said Boeing is taking the right steps to prevent the loss of sensitive 
data from happening again.

"But to ensure that all Boeing-sensitive information is safe -- even in 
the event of theft -- each and every one of us must actually follow the 
policies and procedures and use the tools available to protect 
information," he said.



More information about the Dataloss mailing list