Data for 800,000 job applicants stolen

Mind the Gap


A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. has been stolen.

The computer contained social security numbers and other sensitive information belonging to residents of the US and Puerto Rico who applied online or by phone for jobs from July 2006 to June 2007, the retailer said in this list of frequently asked questions. Details for applicants living in Canada were also exposed, although they didn't include social insurance numbers.

The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data. The Gap didn't identify the vendor or explain why it failed to encrypt such a large number of applicants' personal information.

Gap joins scores of other organizations that have lost sensitive information entrusted to them. The US Department of Veterans Affairs, IBM and VeriSign have also been dogged by laptops or storage tapes that weren't encrypted and were later lost or stolen.

More recently, high-stakes data breaches have resulted from criminals who found ways to exploit weaknesses in corporate networks. Last week, TD Ameritrade said hackers infiltrated a database containing social security numbers, birth dates and account numbers on an undisclosed number of clients. And in August, cyber gumshoes discovered a Trojan that stole more than 1.3 million records from people who were looking for work through job recruiter Monster.com.

Few companies disclose details of their data-retention policies, such as whether computers containing sensitive information are encrypted. This is partly because the release of too much information can tip off criminals. But we can't help thinking the lack of disclosure also gives lawyers wriggle room in the event something goes wrong.

Indeed, Gap's FAQ didn't say whether customer records, applicant information and other sensitive details in its possession are encrypted, or whether it plans to enforce such a policy in the future. The Associated Press, however, quoted Glenn Murphy, the company's CEO and chairman saying the storing of applicant data without encrypting it ran contrary to Gap's agreement with the third-party vendor.

Gap is contacting applicants based in the US and Puerto Rico who had their social security numbers exposed. It is also arranging for them to receive one year of free credit monitoring. The company said it is unaware of any of the data being misused. ®

Broader topics

Narrower topics


Other stories you might like

  • There are 24.6 billion pairs of credentials for sale on dark web
    Plus: Citrix ASM has some really bad bugs, and more

    In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.

    Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said. 

    Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.

    Continue reading
  • Tim Hortons collected location data constantly, without consent, report finds
    Hortons hears a sue

    From May 2019 through August 2020, the mobile app published by multinational restaurant chain Tim Hortons surveilled customers constantly by gathering their location data without valid consent, according to a Canadian government investigation.

    In a report published Wednesday, Office of the Privacy Commissioner (OPC) of Canada and the privacy commissioners from three provinces – Alberta, British Columbia, and Quebec – presented the results of an inquiry that began shortly after the publication of a June 2020 National Post article.

    That article revealed the Tim Hortons app tracked location data every few minutes even when relegated to the background, and the report compiled by Canadian privacy officials confirmed as much.

    Continue reading
  • Behind Big Tech's big privacy heist: Deliberate obfuscation
    You opted out, but you didn't uncheck the box on page 24, so your data's ours...

    Opinion "We value your privacy," say the pop-ups. Better believe it. That privacy, or rather taking it away, is worth half a trillion dollars a year to big tech and the rest of the digital advertising industry. That's around a third of a percent of global GDP, give or take wars and plagues. 

    You might expect such riches to be jealously guarded. Look at what those who "value your privacy" are doing to stop laws protecting it, what happens when a good law  gets through, and what they try to do to close it down afterwards. 

    The best result for big tech is if laws are absent or useless. The latest survey of big tech lobbying in the US reveals a flotilla of nearly 500 salespeople/lawyers touring the US state legislatures, trying to either draw up tech friendly legislation to insert into privacy bills, water then down through persuasion, or just keep them off the books.

    Continue reading
  • TikTok US traffic defaults to Oracle Cloud, Beijing can (allegedly) still have a look
    Alibaba hinted the gig was worth millions each year

    The US arm of Chinese social video app TikTok has revealed that it has changed the default location used to store users' creations to Oracle Cloud's stateside operations – a day after being accused of allowing its Chinese parent company to access American users' personal data.

    "Today, 100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," the company stated in a post dated June 18.

    "For more than a year, we've been working with Oracle on several measures as part of our commercial relationship to better safeguard our app, systems, and the security of US user data," the post continues. "We still use our US and Singapore datacenters for backup, but as we continue our work we expect to delete US users' private data from our own datacenters and fully pivot to Oracle cloud servers located in the US."

    Continue reading

Biting the hand that feeds IT © 1998–2022