Stolen Laptop Leads To Data Breach At VeriSign

August 6, 2007

By Martin H. Bosworth, ConsumerAffairs.Com

http://www.consumeraffairs.com/news04/2007/08/verisign_breach.html



A laptop containing extensive personal information on an undisclosed number of VeriSign employees was stolen from an employee's car on July 12. The information included names, addresses, Social Security numbers, dates of birth, telephone numbers, and salary records.

VeriSign, which manages the usage and sale of Internet addresses such as ".com" and ".net," and offers security certification for Web sites, has not publicly disclosed the breach as of yet.

But a writer for the WizBang blog obtained a copy of the letter sent to VeriSign employees informing them of the theft, and published excerpts on the site.

"We have no reason to believe that the thief or thieves acted with the intent to extract and use this information; the police have indicated that there may be a connection to a series of petty thefts in the neighborhood," the letter reads in part. "The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password."

Of course, if the laptop's sole protection is requiring a password and username to get through, that pretty much guarantees hackers will have access to the data in short order, since anyone with even the most basic computer skills can extract data in such an instance.

The data was also unencrypted, apparently violating VeriSign's security policies. The Register's John Leyden obtained a statement from VeriSign that claimed the unidentified employee had "left the company."

"The Company has a policy on how to manage laptops that contain sensitive information and company data - which in this case was not followed," the company said in its statement. "Going forward, we will continue to review our security procedures to prevent future human errors of this type."

Although data breaches caused by laptop thefts are an embarrassment for any company, it's a particular cross to bear for VeriSign, as the company's security certifications are used by millions of Web sites the world over.

The Mountain View, California-based company recently disclosed that it spent $570,000 in the first six months of 2007 to lobby Congress on issues of Internet security, privacy, and taxation issues.

In its employee letter, VeriSign offered a year of free credit monitoring from Equifax for any affected individual, and recommended placing fraud alerts on credit accounts to watch for signs of fraud or identity theft.


main page ATTRITION feedback