The computer contained confidential data, including names, Social Security numbers, birth dates, and other personnel information, such as hire and termination dates, according to a Dec. 6 letter Deloitte sent to victims. Some of the information belonged to people working at Deloitte subsidiaries.
The laptop, stolen during Thanksgiving week, was protected by a password but was not encrypted, according to the letter. Deloitte has no evidence any of the data has been used for fraudulent purposes, and police are investigating.
A company spokeswoman, in an email to SCMagazineUS.com, declined to reveal specifics about the incident.
“Yes, a laptop was stolen and Deloitte is working with the company involved and has communicated with its own people to help them limit any potential misuse of their data,” spokeswoman Deborah Harrington said. “That's the extent of our comment.”
Richard Baker, who worked as a manager in management consulting at Deloitte from 1990 to 1995, said he received a notification letter.
“What is particularly egregious about this situation is that Deloitte is a ‘noted' security expert with seminars, whitepapers, service lines, etc.,” he told SCMagazineUS.com in an email today. “One would think there would be security and encryption standards for all sensitive personal data, whether managed internally or by outside vendors.”
Baker said he now oversees the consulting division of a channel partner of Symantec, a major security firm.
Deloitte said in the letter that it has stopped working with the responsible vendor, who was not named, until it “can demonstrate that is has implemented appropriate data security protections. In addition we have an ongoing program to identify vendors who access confidential information regarding our personnel and to confirm that they have implemented appropriate protections.”
Deloitte, based in New York, plans to provide victims with one year of free credit-monitoring services, according to the letter. It also advised victims to notify their banks to be on the lookout for suspicious account activity.