AT&T Laptop Theft Exposes Employee Data

AT&T and Maryland's Department of the Environment have become the latest organizations to find out first hand why security analysts for some time now have advocated the use of encryption to protect sensitive data on laptops and other mobile devices.

A laptop containing unencrypted personal data on current and former employees of the AT&T Corp. was stolen recently from the car of an employee of a professional services firm doing work for the company. That theft prompted the company to notify an unspecified number of individuals about the potential compromise of their Social Security numbers, names and other personal details.

A spokesman for AT&T today confirmed the July 27 incident and said it affected only employees of the former AT&T Corp. acquired by SBC Communications Inc. in 2005. No data involving employees of SBC, Bell South or Cingular was affected, the spokesman said.

According to the spokesman, the stolen laptop contained AT&T Corp.'s benefits plans information and was password protected. He did not say whether the person from whom the laptop was stolen was authorized to carry the information on the device.

But he did note that the data "was not stored in a way that was consistent with AT&T policies." Those policies call for encryption of sensitive data as well as "physical security measures." He declined to elaborate.

AT&T learned of the theft on July 31 but began notifying affected employees only on Aug 20. The company needed that time to identify exactly whose information was involved and locate their contact information, he said. "The various files that were stored on the laptop were in a variety of formats -- none of which contained up-to-date addresses," the spokesman said.

All the individuals affected are being offered a year's worth of free credit monitoring services, he said.

Tony Walton, a former AT&T Corp. employee based in Gosport, Ind., was one of those who got a notification letter from Dorothy Attwood, the company's chief privacy officer.

"I'm kind of pissed off about it," said Walton, who expressed frustration at what he claimed was AT&T's refusal to divulge more details about the incident. The letter described the theft as a random incident. But Walton said he would have liked to know more about the circumstances under which the laptop was stolen to gain a better understanding of the risk to his personal data.

Walton said he called the toll-free number provided by AT&T and was told that the data on the laptop had been encrypted and he had nothing to worry about. "I just don't like the way they are handling it. They just won't tell us anything," he said.

Walton also questioned AT&T's offer of free credit-monitoring, saying it may not be enough since there's no telling how long his personal data could remain exposed.

Meanwhile in an unrelated incident, Maryland's Department of the Environment (DOE) said in a statement yesterday that a laptop belonging to an employee had been recently stolen from a vehicle. The computer contained four state databases with personal information of licenses issued by various agencies. The data included Social Security numbers, names, addresses and phone numbers. According to the agency, the information on the computer was password protected but there was no mention of whether it was encrypted or not.

Affected individuals have been notified and all major credit bureaus have been alerted, the DOE said. A spokesman for the agency did not immediately respond to a request for comment.