Data Thieves Fall Into The Gap
Written by Evan SchumanThe Gap re-learned two security lessons on Friday: make sure outside vendors comply with your security policies and beware the laptop’s ability to make unecrypted data so easy to take.
The Gap reported that personal data (including Social Security numbers) of some 800,000 job applicants was stolen “from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc..” The clothing chain said it has contacted those believed to be impacted and “is offering them a year of free credit monitoring services with fraud resolution assistance, along with a dedicated 24-hour helpline.”
Gap has a stated policy against storing non-encrypted data and “contrary to (Gap’s) agreement with the vendor, the information on the laptop was not encrypted.”
Gap’s statement also apologized for the incident and strongly hinted that the unnamed contractor would be punished.
?Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously,? said Gap Inc. Chairman and CEO Glenn Murphy. ?What happened here is against everything we stand for as a company. We?re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.?
People potentially impacted would have applied for jobs for Old Navy, Banana Republic, Gap and Outlet stores from the U.S., Puerto Rico and Canada between July 2006 and June 2007. But because Gap uses more than one vendor to manage job applicant data, the statement said, “not all people who applied for work” during those times had their data stolen.
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
