Hard Lesson in Google Data Breach
"You can't just throw the data over the fence and hope your problems go away."
Google (NASDAQ: GOOG) has found itself in a number of privacy-related controversies, ranging from general user concerns over search records to its new Google Health site for storing personal medical records. But now some of its own employees face the threat of identity theft.
Last week the search giant revealed that on May 26, thieves broke into the offices of Colt Express Outsourcing Services of Walnut Creek, Calif., and stole several PCs containing the personal information of Google employees, along with employees of CNET Networks and other clients of the firm.
This wouldn't be a problem if it weren't for the fact that the data was not encrypted in any way, so the thieves can power up the PCs and get at all of the information.
Colt didn't have truly sensitive information, such as credit cards, bank records or PINs, but it did have names, addresses and social security numbers, more than enough to acquire a credit card under false pretenses. Google is now in the process of notifying States attorneys general and its employees about the breach.
Google ended its relationship with Colt on Dec. 31, 2005, but data from employees hired before Jan. 1, 2006, was still with the company. It would not say why.
Most data breaches come from lost or stolen laptops, but in the break-in at Colt's offices a number of desktop PCs were stolen. There was no answer at Colt's offices, and if the company's home page is any indication, there isn't much of a company left, either.
Google said it does check on the security processes for its outsource partners to insure they have proper data protections. Beyond that, it would only refer to a statement it has issued to all press: "We take the security of our employees very seriously and are taking appropriate measures to ensure that all affected Googlers are properly protected. No users were affected, and no Google systems were compromised."
Companies need to take the security precautions of their outsourcing partners as seriously as their own, said Avivah Litan, senior analyst for security with Gartner (NYSE: IT).
"The takeaway here is that a lot of companies think that in outsourcing their data processing or storage, you're off the hook or the scope of your security efforts is greatly reduced. What they don't do is due diligence on their outsourced service provider," she told InternetNews.com.
Targeting sensitive data?
Litan wondered if Colt wasn't targeted because it had sensitive data. "In this case, if they are going after a set of computers, 'the thieves' may have more information than we know about," she said. "They may know that company has sensitive employee data. So it could have been a deliberate attack on the data, not just the computers, in which case there is a much higher chance the data will be abused."
Companies are looking to outsourcing more and more, but need to realize that the buck stops with them, not the service provider, because it's their data, Litan went on to say.
"It's their customers, their employees," she said. "If they use an outsource service provider that doesn't use secure practices, that's their problem. You can't just throw the data over the fence and hope your problems go away," she said.
Article courtesy of InternetNews.com