About 8,000 clients of MD Management have been affected by the latest laptop theft to hit the headlines. The private details, including financial data, of hundreds of Canadian doctors and their families were compromised in the incident. The company has cited employee error, but experts at InfoWatch say a lax approach to IT security by senior management at the firm is to blame.
The private data of hundreds of Canadian doctors and their families were compromised after a laptop computer was stolen from the car of a financial services company worker. As a result of the security breach, confidential data, including sensitive financial details, have fallen into the hands of the thieves.
On June 29 MD Management, a subsidiary of the Canadian Medical Association, sent letters to 8,000 clients informing them that a laptop computer containing detailed information about their “financial and professional circumstances” had been stolen. The computer was taken from an MD Management employee's locked car during a break-in at a supermarket parking lot. All the contents of the vehicle were stolen, including the computer. It just so happened that earlier that day the employee had downloaded several thousand client files to the laptop.
After the employee contacted head office, officials checked source files to determine what information had been copied. The files include such identifying information as names, ages and addresses as well as professional and financial information. The computer was only password-protected with no encryption of data.
MD Management has hired a private investigator to try to track down the laptop. The company has also contacted Canada's two credit bureaus, Equifax and TransUnion, to protect those affected from falling victim to identity theft. Those bureaus will monitor the accounts for as long as six years, telling financial institutions to double-check the identity of anyone using the information.
In an official statement the company put the incident down to employee error and promised to take measures to make sure such incidents were not repeated.
“Accusing one of your employees of negligence is the easiest thing to do; admitting that the root of the problem lies in the management’s attitude to IT security is much more difficult. Encryption protection for laptops that contain private data should be stipulated in the corporate security policy. The company needs to buy the necessary software and explain to their employees that they have to encrypt their clients’ personal information. That is the only solution to the problem,” explains Denis Zenkin, marketing director at InfoWatch.
Source: CBCNews