Boeing Screws 382k Current and Former Employees
Boeing is still refusing to encrypt portable electronic devices, which is surprising given both the ease of use and availability of encryption software today and the fact that even the bloated Federal Government is now encrypting laptops. So why is Boeing still behind the curve? Not only do they not encrypt the information, but they do a poor job of physically protecting that data from theft too. They dumped all of the names and socials of every employee who ever worked at Boeing on a single laptop and then allowed a thief to steal it.
From Seattlepi here:
A laptop with personal information on hundreds of thousands of Boeing Co. employees was stolen earlier this month, and the aerospace company will inform those potentially affected by the theft in a company e-mail today.
“In the first week of December, a laptop was stolen from an employee’s car,” Boeing spokeswoman Kelly Danaghy said. “That laptop had files that contained Social Security numbers for about 382,000 past and present employees, and in most cases it also included a home address, phone number and date of birth.”
The company will provide free three-year credit monitoring for employees whose personal information was compromised.
Last month, a Boeing online memo warned that another computer with “old, unencrypted salary planning files containing personally identifiable information on 762 individuals” had been taken from an employee’s home. “This incident underscores the importance for all Boeing employees to either use encryption or rid their computers of old, unused files, particularly those containing personally identifiable information,” Boeing said in the memo.
Boeing needs to make encryption of portable devices a mandatory part of their information security policy. And Boeing needs to do this from the management on down, not merely suggest in a stupid memo that employees handle information security themselves by choosing whether or not to encrypt or delete old files. Even deleting files does not adequately erase data from a hard drive, and any Boeing infosec employee must certainly cringe when he sees such foolish advice distributed in a company memo.
In the face of multiple data losses from multiple portable devices, Boeing should immediately institute a recall of all portable devices for a “compliance upgrade.” Systems should be audited for patches, spyware, and have disk encryption installed prior to reissuance to employees.
Boeing does not list a Chief Information Officer or a Chief Information Security Officer in their executive biographies. Perhaps it is time that they get one.
