Security Company McAfee Loses Employee Data

February 27, 2006

By Martin H. Bosworth, ConsumerAffairs.Com

Software security company McAfee touts itself as "[leading] the world in discovering, documenting, and addressing breaking threats and vulnerabilities." But now the company may be looking into increased security protection for itself, thanks to the loss of data on several thousand of its employees.

An auditor from financial services consultancy Deloitte & Touche lost a compact disc (CD) containing personal information on over 3,000 current McAfee employees in the U.S. and Canada, and 6,000 former employees.

The unencrypted data included names, addresses, Social Security numbers, and employees' stock holdings in McAfee.

The unidentified auditor had apparently been carrying the data on an unlabeled CD, and left it in an airline seat pocket.

The disc was reported missing on Dec. 15th, 2005. McAfee was notified of the incident on Jan. 11th, and after Deloitte conducted an internal investigation, the Santa Clara, Calif.-based software company began notifying affected employees by mail, with the last employee being notified in late February.

Neither McAfee nor Deloitte's spokespersons had an explanation for the length of time between the initial discovery of the theft and McAfee's notification.

McAfee has agreed to provide affected employees with up to two years of free credit monitoring, sponsored by Equifax.

Deloitte & Touche is a subsidiary of Deloitte Touche Tomatsu, a multinational financial services consulting firm that specializes in auditing, corporate tax preparation, and consultation.

One of its chief areas of expertise deals with compliance with the 2002 Sarbanes-Oxley laws, passed to ensure much larger "paper trails" of businesses' accounting practices.

McAfee specializes in home and business security solutions, marketing numerous antivirus and antispyware products for users.

The McAfee data breach is the latest in a series of embarrassing incidents of data loss or poor security in major business. The nonprofit Privacy Rights Clearinghouse has compiled a chronology of data breaches since Feb. 2005, when Georgia-based data broker ChoicePoint first revealed it had lost the information of 145,000 individuals to a ring of hackers.

According to the group's chronology, 53 million individuals have been affected by data breaches or security failures since the ChoicePoint incident.

The news of the McAfee data loss was met with skeptical derision from the tech community, amused at the irony of a security company suffering a data breach, and exasperated at the inability of companies to protect their workers' personal information.

"How about someone filing a class action lawsuit against Deloitte?" said one commenter, referring to ZDNet's coverage of the incident. "The only way companies will understand that people's personal data is mission critical if the financial penalties for doing such idiocy becomes a mission critical expense."

[an error occurred while processing this directive]