Laptop with Hewlett-Packard employees' ID stolen

March 22, 2006

By Nicole C. Wong, Mercury News

http://www.mercurynews.com/mld/mercurynews/business/14162732.htm



A laptop computer containing the names, Social Security numbers, compensation and other information for 196,000 current and former Hewlett-Packard employees was stolen a week ago, HP confirmed Wednesday.

The employees were all participants in HP's company-sponsored retirement plans administered by Fidelity Investments. Fidelity sent e-mails and letters overnight Tuesday to the retirement plan participants notifying them that the Fidelity laptop had been swiped.

``We have no indication that any of the information's been misused,'' Anne Crowley, a Fidelity spokeswoman, said Wednesday. ``We went back and monitored activity in accounts since the theft, and we find nothing to indicate there's any unusual or suspicious activity.''

The Boston-based financial services company, which administers HP's defined benefit pension plan and 401k retirement plan, has stepped up monitoring of its HP accounts and added more authentication measures so participants must provide extra personal information to access their accounts.

Fidelity would not say how or where its laptop was stolen on the evening of March 15 because a local law enforcement agency is investigating the case. But Crowley noted, ``the law enforcement agency did tell us there have been other laptop thefts in that area recently and they've largely appeared to be related to property theft, as opposed to someone setting out for data theft.''

Over the past year, there has been a spate of high-profile security breaches of computerized data both locally and nationally that left thousands of people vulnerable to identity theft. In some cases, computer disks were stolen or back-up tapes were swiped. Other times, the data was left behind in an airplane seat's pocket or other public place.

HP said in a statement that it is ``working closely with Fidelity to minimize the impact of this information breach.'' The Palo Alto-based computing and printing giant also notified its 54,000 current and 142,000 former U.S. employees who participate in the plan about the theft.

John Dunse, an engineer who retired after working 30 years for HP and then its spin-off Agilent, received a letter from Fidelity delivered Wednesday by the United Parcel Service.

``The one thing I can't figure out is why these companies keep this sensitive information on laptops,'' said the 64-year-old San Jose man. ``It's ridiculous. It's going to cost them a pile of money.''

Fidelity would not comment on whether it has experienced this kind of security breach before. But Crowley said the company usually does not keep this level of confidential data on laptops. Exceptions are made when employees need to take the information to client meetings to discuss the plans and participants, and that's what happened in this case.

Crowley said the laptop theft took place outside the walls of both Fidelity and HP. While Fidelity says it is taking the incident ``extremely seriously,'' the company said it believes the stolen data will be hard for someone to misuse.

In its four-page letter to HP plan participants, Fidelity underlined the portion that read: ``It is important for you to know that the license to the software which contained the data has expired. As a result, the scrambled data is difficult to interpret... it is in a form that is generally unusable.''

Still, Fidelity pledged to reimburse participants for any unauthorized transactions in their pension or retirement accounts that the company finds occurred because of the stolen laptop. It also is paying for a year of credit monitoring by Equifax, one of the three major credit reporting companies.

Dunse, the San Jose retiree, said he was wary when he received the letter from Fidelity about the data theft.

``When I first read that, I wasn't sure if it was for real or from somebody on a fishing expedition,'' Dunse said. So he used the UPS Web site to trace the letter through its delivery route back to the sender.

He signed up for the credit monitoring service and placed an initial fraud alert on his credit file.

``And I hope nothing will happen now,'' he said.

[an error occurred while processing this directive]