VeriSign, Inc., the company that operates the digital infrastructure that enables and protect billions of interactions across the world’s voice and data networks every day, notified current and former employees this week that their employee data was lost in a recent laptop theft. The market leader in SSL certificates and secure web transactions left an unknown number of current and former employees’ exposed to identity theft because the data on the stolen laptop was not encrypted.
We received a copy of the letter received by an unknown number of current and former VeriSign employees. An excerpt of the first page is presented below:
The purpose of this letter is to inform you that a laptop possibly containing VeriSign employee information was stolen from the vehicle of a VeriSign employee, while parked in the employee’s Northern California garage between the evening of Thursday, July 12, 2007 and the morning of Friday, July 13, 2007. The laptop possibly contained personal information including name, Social Security number, date of birth, salary information, telephone numbers and home addresses, but it did not include credit card numbers, bank account numbers, or password information. The laptop did not contain any information about any VeriSign customers.
This note has two communications objectives: One, to let you know what VeriSign is doing out of the abundance of caution to alert employees and ex-employees and share what resources we are offering to help you. And, two, to underscore the importance of protecting sensitive and proprietary information.
First off, we are contacting all individuals whose personal information may have been on the stolen laptop. We have no reason to believe that the thief or thieves acted with the intent to extract and use this information; the police have indicated that there may be a connection to a series of petty thefts in the neighborhood. The laptop was fully shut down and requires a username and password to log on to the Windows application. To our knowledge, the thieves do not have the password.
VeriSign already has a strong Information Security Policy in place, which in this case was unfortunately not followed. VeriSign’s Information Security Department issues a quarterly publication to remind employees of this policy. For this incident, we disabled any access by the employee’s computer to the VeriSign network or any information located on the VeriSign network, going forward, and we are reviewing our security procedures to help prevent a recurrence of this type. Among other things, we plan to implement procedures to more strictly enforce our policy of encrypting sensitive data stored on company computers.
Just in case that isn’t clear, the company that process secure transactions, issues security certificates and runs the .com registry apparently can’t (or more accurately won’t) secure its own employees data. If the laptop is only secured by a Windows login account it’s basically already exposed, as anyone marginally interested in reading the contents of the laptop hard drive could, with just a few minutes of Google research, discover numerous ways to bypass the Windows login security and access the contents of the drive.
The company did not indicate what, if anything, was done to the employee who left the laptop in the car.
In the letter, VeriSign offers to provide a free one year subscription to the Equifax Credit Watch Gold with 3-in-1 Monitoring (retail value $155.40) to those potentially affected. Other than that, they recomend that current and former employees place a “fraud alert” on their credit file.
The first page of the 5 page letter is shown below.