December 11, 2008, 3:51 PM — Technology vendors Hewlett-Packard and Symantec are warning employees that their names and Social Security numbers may have recently fallen into criminal hands following two separate laptop thefts.
HP said Thursday that at least several thousand employee records were contained on a laptop that was stolen several months ago from an HP employee based in the Houston area. At first HP thought that there was no sensitive information on the laptop, but after looking into back-up files, the company realized that it contained names and Social Security numbers of current and former employees.
"The laptop was an HP-issued PC that contains standard HP security protocols," HP said. However, the company would not have had to notify employees had the laptop been encrypted.
The Symantec breach occurred on Oct. 18 and affected fewer than 100 employees who were being laid off as part of a restructuring of the company's IT operations. "Somebody who was working on the project took their computer home with them," said Cris Paden, a Symantec spokesman. "Burglars came in and stole a bunch of items in the house."
Symantec has nearly completed the process of encrypting all corporate laptops, Paden added.
Both companies are working with law enforcement on the thefts and say that they have no reason to believe that the data has been misused.
Still, it's embarrassing for two companies that sell products designed to protect data to have to report data leaks themselves, said Gartner Research Analyst Avivah Litan. "There's really no excuse," she said.
Encrypting company laptops so that this type of data cannot be easily read is a time-consuming job, but it's not a major technical challenge, she added. "They need to eat their own dog food and get on with the job. They obviously aren't making it a priority."
Although data breach laws have been on the books since 2003, Litan estimates that just 25 percent to 35 percent of U.S. companies have taken adequate steps to secure their laptops.