Sophos Cloud Optix
Facebook has again lost data on thousands of people, but this time, it’s the old-fashioned, smash-and-grab kind of data breach, done by a thief to an employee’s car.
Bloomberg Technology reported on Friday that a thief broke into an employee’s car and made off with payroll data for 29,000 current and former US Facebook workers.
The thief took unencrypted hard drives – drives that never should have been there – from a bag in the employee’s car.
Facebook said in an email to employees on Friday morning that the drives included payroll data, including employee names, bank account numbers and the last four digits of about 29,000 taxpayer IDs of employees who worked for Facebook in the US during 2018. The drives also contained other financial information, including salaries, bonus amounts, and some equity details.
A spokesperson told Bloomberg Technology that so far, the company hasn’t seen anybody try to exploit the employees’ data through identity theft.
The thief broke into the car on 17 November. Facebook supposedly realized the hard drives were missing three days later. On 29 November, a “forensic investigation” confirmed what type of information was on the drives. Facebook gave employees a heads-up about the theft on 13 December.
The Facebook spokeswoman said the police were duly notified:
We worked with law enforcement as they investigated a recent car break-in and theft of an employee’s bag containing company equipment with employee payroll information stored on it. We have seen no evidence of abuse and believe this was a smash and grab crime rather than an attempt to steal employee information.
And as far as the payroll employee responsible for leaving unencrypted drives in their car goes, they were duly disciplined, the spokeswoman said. As it is, the payroll employee hadn’t been authorized to take the drives out of their office. The Facebook spokeswoman didn’t give details of how the employee was disciplined:
We have taken appropriate disciplinary action. We won’t be discussing individual personnel details.
Readers, how would you discipline an employee who tosses unencrypted drives into a bag and leaves it in their car?
I think I’d sit them down in front of Mark Stockley’s 2014 article about security mistakes that small companies make and how to avoid them, point out that not encrypting drives is goof numero uno, underline the word “small,” remind them that Facebook is no pipsqueak and that all of its employees hence should, theoretically, know a whole lot better than small companies.
And then, finally, wag my finger at Facebook IT, which might try harder when it comes to training employees to encrypt drives and to abstain from removing them from the office.
All of which is, of course, hypothetical. We don’t know what kind of drives the thief got away with. Nor have the drives been retrieved yet.
In its email, Facebook encouraged employees to notify their banks and offered them a two-year subscription to an identity theft monitoring service, Bloomberg said.
For a company the size of Fakebook:
1) Discipline the senior IT person who allows a set up whereby:
a) Drives are not encrypted on receipt
b) Non-IT staff have access to stand-alone drives
c) People with access to critical data have equipment into which such drives can be plugged
d) Issues laptops as the default PC (which can be taken home or tossed in the back of a car)
e) all sensitive IT equipment is not tagged so it cannot be taken out through your access turnstiles
2) Educate users as to why you have adopted the above “apparently restrictive” policies – forget the “apparently restrictive”, make that read “deliberately restrictive”. Emphasise that subverting these restrictions will be a disciplinary offence.
How did they find out it was unencrypted? Was it after the fact or the usual crime-never-happens-to-me mentality and to secure the drive is too much work?
In addition to what Shergar outlined above, I would fire the payroll person. Especially if they had no authorization to have that data outside of the office. Why did it take 3 days for Facebook to “realize” the drives were missing? The employee should have notified their manager and the security dept immediately. If the car was parked for a long period of time, there is no reason the employee should have left the equipment in the car the entire team. It’s their responsibility to secure it.
“who worked for Facebook in the US during 2018”
I have worked for Facebook in the US during 2016 and have received the “Notice of Data Breach”.