Google has confirmed that personal data of US employees hired prior to 2006 have been stolen in a recent burglary.
Records kept at Colt Express Outsourcing Services, an external company Google and other companies use to handle human resources functions, were stolen in a burglary on 26 May. An undisclosed number of employees' details and those of dependents such as names, addresses, and social security numbers were on the stolen computers. It is understood that Colt did not employ encryption to protect the information.
It's still unclear how many more of Colt Express' clients were affected by the breach. CNET Networks (publisher of ZDNet.com.au and Builder AU) was another company affected by the burglary with around 6,500 employee's details stolen.
Although there is no evidence of misuse of the data to date, the information obtained could be used by ID thieves to create fake accounts and identities.
It's only come to light now that Google was one of the companies affected. Google itself was not burglarised, nor was any of its internal systems compromised.
Danny Thorpe, former chief scientist at Borland and engineer at Google who now works for Microsoft was informed of the theft on 1 July.
I've just received a letter from Google that personal data of Google employees hired prior to 31 December, 2005 may have been stolen in the 26 May burglary of Colt Express Outsourcing Services. No credit card numbers were in the stolen data, just names, addresses, SSNs(Social Security Numbers) — all the info needed for a thief to open new accounts using your identity.
According to Thorpe, Google has offered to cover the cost of a one-year subscription to a credit report and identity theft monitoring service. Similar benefits were offered to CNET Networks employees last week.
ITWorld reported last week that Colt Express Outsourcing Services was in financial difficulty and could not help those affected. The company's CEO, Samuel Colt III said in a statement "We do not have the resources, financial and otherwise, to assist you further".
A Google spokesperson — who confirmed the data leak — confirmed that Google is offering all affected employees and former employees a free one-year credit monitoring service.
"We take the security of our employees very seriously and require outside vendors to meet appropriate security standards. We review and update these standards on an on-going basis.
"Google is not currently using Colt's services and had made this decision long before this incident," the spokesperson said.
This is the sort of thing that happens when you outsource. You are relying on a third party not only to service your need, but to secure your data, which this company should have done on principal alone. I am surprised Google even hired them to do this work without verifying that the data was secured by encryption and other methods.