Stolen: Google employees' personal data

By Brendon Chase
Special to CNET News.com Published: July 3, 2008 9:52 AM PDT

Tools

Related Stories: Stolen Boeing laptop held ID data on 382,000
December 14, 2006; Laptop theft exposes Hotels.com data
June 2, 2006; Laptop with HP employee data stolen
March 22, 2006
Related Blogs: Stolen Home Depot laptop exposes employee data
News Blog
October 18, 2007; IBM loses tapes with employee data
News Blog
May 15, 2007

Google has confirmed that personal data of U.S. employees hired prior to 2006 have been stolen in a recent burglary.

Records kept at Colt Express Outsourcing Services, an external company Google and other companies use to handle human resources functions, were stolen in a burglary on May 26. An undisclosed number of employees' details and those of dependents such as names, addresses, and Social Security numbers were on the stolen computers. It is understood that Colt did not employ encryption to protect the information.

It's still unclear how many more of Colt Express' clients were affected by the breach. CBS' CNET Networks, publisher of News.com, was also affected by the burglary, with about 6,500 employees' details stolen.

Although there is no evidence of misuse of the data to date, the information obtained could be used by identity thieves to create fake accounts and identities.

It's only come to light now that Google was one of the companies affected. Google itself was not burglarized, nor were any of its internal systems compromised.

Danny Thorpe, former chief scientist at Borland and engineer at Google who now works for Microsoft, was informed of the theft on July 1.

A letter from Google said personal data of Google employees hired prior to December 31, 2005, may have been stolen in the May 26 burglary of Colt Express Outsourcing Services. No credit card numbers were in the stolen data; just names, addresses, SSNs--all the information needed for a thief to open a credit card account under another's name.

According to Thorpe, Google has offered to cover the cost of a one-year subscription to a credit report and identity theft-monitoring service. Similar benefits were offered to CNET Networks employees.

ITWorld reported last week that Colt Express Outsourcing Services was in financial difficulty and could not help those affected. The company's CEO, Samuel Colt III, said in a statement "We do not have the resources, financial and otherwise, to assist you further."

"We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an ongoing basis," a Google representative said. "Google is not currently using Colt's services and had made this decision long before this incident."

Brendon Chase of ZDNet Australia reported from Sydney.

More from News.com on this story's topics: Identity theft
RSS feed; Outsourcing
Create an email alert | RSS feed; Down Under
Create an email alert | RSS feed; Google
Create an email alert | RSS feed

See more CNET content tagged:
Google Inc., Social Security, social security number, credit card, security

Add a Comment (Log in or register) 10 comments (Page 1 of 1)


by inachu July 3, 2008 10:30 AM PDT: We can use that new Law in Texas:
* Lawsuit says every repair technician in Texas must have private investigator's license
* Licenses are obtained with criminal justice degree or 3 year apprenticeship
* Violators can face up to a 4K fine and 1 year in jail; Reply to this comment


by ChecksAndBalances July 3, 2008 11:23 AM PDT: I've identified at least 6 clients affected by the Colt Express burglary on PogoWasRight.org: CNet, Google, Ebara Technologies, former Avant! employees, Punahou School District, and bebe stores, and there are probably more that we'll find in time.. Some of the clients, like Google, were no longer doing business with Colt but their unencrypted employee and dependent info was still on computers in the office that Colt reports were "password-protected."; Reply to this comment


by hawkeyeaz1 July 3, 2008 2:21 PM PDT: No encryption? Again, people ask "WHY?" It truly isn't that hard or expensive to implement, and it saves a lot of trouble and money.; Reply to this comment


by Get_Bent July 3, 2008 2:23 PM PDT: "Google is not currently using Colt's services and had made this decision long before this incident." This begs the question: If Google hasn't been using Colt Express Outsourcing Services for a while now, then why was Colt still hanging on to Google's employee data? Shouldn't Colt have turned it over to Google and deleted their copy? They had no business retaining this data from a former client. At the very least, Colt should have exported the data, encrypted it, stored it off site (in a secure facility), and purged it from the active database.; Reply to this comment


by Imalittleteapot July 3, 2008 9:07 PM PDT: Encryption is simply not going to work. The problem is too many people have access to your information to begin with, and all it takes is one person to forget to use it. That is why it will never work. We're never going to be able to protect everyone's identity like that. We need new laws and technology to make it impossible to use someone's identity even if they have your information. Are you telling me there's only one level of security? Nobody bothers to check or validate after that? Simply knowing my information should not be enough to use it. There needs to be more layers of security after that. You shouldn't be able to use my identity or open any accounts with my financial information unless my own bank down the street, where everyone KNOWS ME, APPROVES IT by me going in with my ID saying yes I approve it. They could charge me an approval fee. They could charge small fees to approve new credit cards, loans, or accounts in my name even if the account itself is at another bank. It would even be profitable to do it this way. What is the problem? Even if someone did take a fake ID into my bank, at least it is probably a local criminal that is more likely to get caught than if they can use my name from the other side of the globe. Just have a database where you can link my SN with the ONE bank you need to get approval from to use my identity. Then they can say hey, yeah I'll give you a credit card or whatever, but you have to head down to your bank to activate it. Then we'll call them and make sure we got that approval. If they don't get that approval. Too bad. It shouldn't count against me. They take the loss. If someone does become a victim of identity theft anyway, they should be given a new legal identity and SN straight away. Even if their information has simply been stolen and not used yet. Let the companies that aren't checking credentials correctly take the fall.; Reply to this comment


by blabtech July 4, 2008 9:26 AM PDT: When a company like Google can't keep their data secure, then it's a true problem.. I agree with the last post about how too many people have access to data to start with too..

http:://blabtech.blogspot.com; Reply to this comment


by jjcompliant July 5, 2008 1:26 AM PDT: this careless storage of people id needs to stop this is not going to happen until lawsuites and big payment settlements start to happening. corporation do not practice guardin and preventing lost they go until they have to pay and pay big time then they start lost prevention this is a bigger problem now that corporation have farm out to call centers all over the world india, central america, sudiaribia, all these call centers have your private info when you call for help, information how do these corporation protect your data in a foreign country when everything has a price and is sold easily?????

yes i agree with lamlittleteapot we give out our private info to readily to companies we need to start being more active in guarding our info; Reply to this comment


by cporpheus July 12, 2008 7:56 PM PDT: Any company dealing with sensitive information must use encryption, period. I recently lost my USB flash drive with all of my passwords in an encrypted file with a 63 character password and I feel perfectly safe.; Reply to this comment


by dannythorpe July 22, 2008 10:10 AM PDT: Original post: http://dannythorpe.com/2008/07/01/google-employee-records-stolen-in-colt-break-in/; Reply to this comment


by mojojam July 23, 2008 9:40 PM PDT: Do SSN's expire after 1 year? It should be a mandatory minimum 10 year credit watch. It should also be a Federal crime to maintain sensitive information and not have it encrypted. That would spur companies to make their data more secure from theft.; Reply to this comment