A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. has been stolen. The computer contained social security numbers and other sensitive information belonging to residents of the US and Puerto Rico who applied online or by phone for jobs from July 2006 to …
You could probably scam them with the introduction/processing/postage/credit check fee towards GAP and reinput them into the system; for $10 each at 90% failure 10% takeup for $800,000 cash.
Just flash the details you have to credit yourself as real, be it name brithdate, qualifications etc and ask for 10 bucks as SA say.
There should be no need
... for as many as 800,000 job applications to ever be on the same laptop.
There might be some justification in an interviewee having data on applicants that he had to interview during the coming week, but that should be the limit. Nobody can possibly interview 800,000 people in a week so there is no need whatsoever for any one person to have access to all that information.
Indeed, in a well managed system it should simply not be possible for anybody to make a copy of the full database, authorised or otherwise.
Social In-Security Numbers nicked AGAIN!
So here we go again with ANOTHER 800,000 people who's finances could be ripped limb from limb because some twit couldn't secure a computer and the GAP "NEEDS" to use the SSN as an identification method. Un-encrypted to boot!
It sounds like the Gap's IT people need to conquer the huge "GAP" between their ears.
Have any I.T. people working for the US Government ever thought to come up with a way to use a P.I.N. number or password in conjunction with the damned social security number?????
You know, kind of like how credit card companies have the extra 3 digits on the back of the card that you use when the card cannot be presented in person? Nothing more than simple fraud prevention, DUH!!!!
Even the Motor Vehicle departments know enough to scramble the digits.
Few people realize that there are existing laws on the books that expressly forbids the use of Social "Insecurity" numbers by anyone other than the Federal government.
So our lame brained government requires the SSN to identify people, everyone else adopts it's use, the Fed's don't take them to court for breaking the law and now the whole idea of the SSN is utterly useless because the Russian Mafia now has everybody's identity.
I'm beginning to be convinced that all this identity theft is a HUGE conspiracy to make people beg the government to put RFID chips in their left arms so they will feel "safe again".
The only thing that will make me feel safe regarding SSN is one of those RSA keys that generate a 256 character passcode that changes every 30 seconds.
That and making identity theft grounds for justifiable homicide with the victim getting to choose just exactly which long lingering, painful death the perp gets.
USA "privacy" is a joke.
Privacy laws in civilized countries at least makes stuff like this a crime. In Canada, for instance, asking for the Social Insurance Number on job application is illegal (employers only get it when they hire you, and only for dealing with the government income tax dept.). You're certainly not allowed to use it as an ID number for anything not income tax related!
Meanwhile, in the USA, I doubt this company will even be slapped on the wrist. This is the country that forced Europe to hand over private airline passenger data (protected in Europe) under threat of economic sanctions? Then had the temerity to insist that they had "adequate privacy safeguards in place"???
What the hell were these details doing unencrypted on a laptop anyway? What were they doing on a laptop in ANY fashion?
We should all use George Burn's SSN
The running joke was that it was "one".
Good night Gracie!!
It's not as bad as it sounds....
800,000 Gap applicants' data lost is not really that bad. After all, if these people had all that much money/assets to be ripped off, they wouldn't be applying to work for Gap, would they ?
To be fair, they may be slightly better off than those applying to work for MacDonalds ?
London Underground knew this would happen all along ....
Continuous recorded messages ... "MIND THE GAP".
The more important question.....
This seems to imply that The Gap is collecting Social Security Numbers from people who have APPLIED for jobs but don't actually work there.
I wouldn't give any employer my SSN until I was damn well being put on the payroll.
Re: There should be no need
"Indeed, in a well managed system it should simply not be possible for anybody to make a copy of the full database, authorised or otherwise."
Umm... What about backups? I have it on good authority that most sysadmins WANT to back up the full database. Otherwise, you're SOL when your drive/array dies. Similarly, you WANT to be able to copy the full database in other scenarios, for example if you're converting to a different software (application and/or database). You really don't want to have to re-enter all of your information, nor do you want to run two different systems if you can get all the data into one. So while I understand your thinking, there certainly are certain cases where you do want to be able to copy the full database.
As for all this hooplah about social security numbers, I really don't get it. Everyone always says "Hide your social security number!", "Don't tell anyone your social security number!", "Make sure you shred anything that has your social security number on it!", etc. And yet the I.R.S. (the Internal Revenue Service, to whom U.S. taxpayers pay their income tax) ***REQUIRES*** you to WRITE YOUR SOCIAL SECURITY NUMBER ON YOUR PAYMENT! My estimated withholding vouchers actually say "Enter your SSN and '2007 Form 1040-ES' on your payment". When the government tells you to write your social security number on a check which is handled by an unknown number of people from several companies/agencies (in my case, MBNA signs for delivery when I request delivery confirmation from USPS), you have to be an idiot to think that you can "protect" your social security number. Also keep in mind that the credit agencies (Experian, etc) have this information and give it out to all and sundry.
It's not hard to believe the data is lost but 800,000 applied for the job thats pretty impressive for the kind of job it is. With this number is it possible that this may have ceased to be a crime and turned into drudgery there can't be that many who have any credit to speak of anyway so they will have to put their backs into it to glean the good ones if any. I think if your going to be a criminal at least pick a crime thats fun.
"Continuous recorded messages ... "MIND THE GAP"."
It's actually "MIND THE GAPPE" - it's a type of giant bat that hides under the platform.
Perhaps the person who has all this data is trying to build up a portrait of Generation Post-Z, or whatever generation came after the one that came after Generation X. Perhaps Douglas Copeland has stolen the data, and he is trying to restart his career, with a new book called "iCyberslackerpeople: The Power of Collective Thinking: The Gap" or "Generation (the) Gap" or "Bunch o'Gap" or "I Gap Bigger'n You".
"Monkeys Fling Gap at Each Other".
Its only going to get worse
Just wait until the state and the big coprorations start using biometric info to identify people. Then the Russian Mafia will really have a field day...
The only thing that really suprises me ...
... is that there are 800,000 people on the planet who want to work for GAP.
SSN should never have been used for security
Whoever thought a static SSN should be used as a *secure* identifier is a moron. SSN should be thought of as a *public* unique identifier. Unfortunately US banks, credit card companies, employers, libraries, etc use it to "verify" our identities and not just as a UID. This is stupid, because as soon as the number is used once on any application it is no longer a secret known only by the owner.
Even if the Gap hadn't lost the laptop, one shouldn't have to trust their employer with credit/banking details.
The situation we have now is the fault of the banks and credit cards who use nothing more than name, SSN and address to verify a person. Ideally we would be using certificate authorities or other cryptographically secure means of identification. Potential breaches could happen but at least we would not have to hand over the master keys on every application.
Encryption is simple and inexpensive
Why are businesses still not using encryption?
XP has built in support, there are plenty of fully functional free products, compared to the price of the laptop, commercial solution are inexpensive.
Also I am guessing identity thieves want rip off lots of people for relatively small amounts of money, that each individual case will be small enough that the police do much of an investigation.
Let's be clear: the governments of Europe handed this passenger data over to the United States perfectly willingly. They could have called the US bluff and said no. It was your own elected officials who did this, and yet rather than doing something about that (replacing them?) you whinge and moan and say "the US made us do this". Your governments were just as happy to go along with it, because now they can continue paying lip service to privacy while still having somebody do all of this invasive (if largely ineffective) screening _and_ not having to pay the cost of actually doing it. If your privacy laws allow this information to be handed off to the US, than they are just as ineffective as the ones in the US and you should stop fooling yourself.
Economically, the US needs Europe just as badly as Europe needs the US. If the formation of the EU isn't enough to provide a counter to the US running roughshod over everyone, why the hell are you paying all of those people to sit around on their asses in Brussels?
"why the hell are you paying all of those people to sit around on their asses in Brussels?"
That's what most of the UK voters are trying to find out.
Another day, another dickhead...
Seems there are still companies out there who employ morons in their IT departments. I could understand if there were a couple of records, either in an "offline documents" folder or as cache, but any more than that and it suggests that GAP have not IT security.
RE: @yeah right
As a "European" I agree largely with what you're saying. The only point I will pick up on is:
<quote>It was your own elected officials who did this, and yet rather than doing something about that (replacing them?) you whinge and moan and say "the US made us do this".</quote>
You mean we should vote for who we want in the way that you guys voted for George W? ;~)