Included in the information were applicants' Social Security numbers, according to Gap. The stolen laptop contained personal information for those who applied for jobs with the company's Old Navy, Banana Republic, Gap and Outlet stores in the United States, Puerto Rico and Canada between July 2006 and June 2007, the company said.
"We're reviewing the facts and circumstances that led to this incident closely and will take appropriate steps to help prevent something like this from happening again," Gap Chairman and CEO Glenn Murphy said in a statement.
Because it relies on multiple contractors for managing job applicant data, Gap said that not all applicants from that time are affected.
The unidentified consulting firm said it notified local law enforcement authorities as soon it discovered the laptop was stolen, according to a Gap statement. Police are investigating the theft.
The information on the stolen laptop was not encrypted, contrary to Gap's agreement with the vendor, according to the company statement.
"It used to be that IT departments could do their 'best effort,' and hope everything was encrypted," Steven Sprague, CEO of Wave Systems, a developer of disk-encryption software, told SCMagazineUS.com. "But obviously that wasn't good enough, because ultimately the state of California passed regulations, and if a stolen hard disk was not encrypted, they need to tell everyone when the drive is lost or stolen.
Additional burden falls on IT staffs after a data breach, Sprague added.
"The problem is, laptop theft is going to continue," he said. "So it's up to IT to ensure that no data is lost for the corporation if I accidentally lose my laptop or my laptop is stolen."
The company urged individuals who applied online or by phone for a job between July 2006 and June 2007 to contact the Gap's security assistance hot line at (866) 237-4007. Gap has posted more information on its assistance program at a security assistance website.