[ISN] Auditor loses data on thousands of McAfee employees

InfoSec News isn at c4i.org
Mon Feb 27 02:09:16 EST 2006


http://www.computerworld.com/securitytopics/security/story/0,10801,109003,00.html

By Robert McMillan
FEBRUARY 24, 2006
IDG NEWS SERVICE

McAfee Inc.'s auditor, Deloitte & Touche USA LLP, may be thinking of
buying some security software itself, after a Deloitte employee left
an unencrypted CD containing sensitive information on thousands of
McAfee employees in the back of an airline seat in December.

The backup CD contained names, Social Security numbers and information
on stock holdings held by over 9,000 of McAfee's current and former
employees, company spokeswoman Siobhan MacDermott confirmed today.

The information concerned McAfee's U.S. and Canadian employees hired
prior to 2005, amounting to about 6,000 former employees and 3,290
current staffers, MacDermott said. The CD was left on the airplane on
Dec. 15, she said.

McAfee was informed of the incident on Jan. 11, nearly a month after
the disk was lost. After a Deloitte investigation determined who had
been affected, McAfee began notifying employees of the situation via
postal mail. The last of these notification letters was sent out last
week, MacDermott said.

All of those who were affected by the data loss are being given two
years' worth of free credit reports, provided by the Experian
Information Solutions Inc. credit bureau, she said.

"We have no reason to believe that there's been or that there will be
any unauthorized access to the information," MacDermott said.

McAfee is now in the process of changing its corporate policies to
ensure that this type of data loss does not occur in the future,
MacDermott said. "We're certainly reviewing how third parties work
with our data," she said. "We're working to make sure that we don't
have Social Security information on these types of files moving
forward."

Deloitte spokesman Jeffrey Zack confirmed that a "Deloitte and Touche
employee left an unlabeled backup CD in an airline seat pocket, and
the lost disk may contain certain personal information on current and
former employees." He would not comment on why the CD was not
encrypted.

Designed to protect data while "in transit and storage," McAfee's own
E-Business Client lets users encrypt files "with no technical training
or experience," according to the company's Web site.





More information about the ISN mailing list