Data Breach Hits Google Employees

Reports have been trickling out of Silicon Valley of a potentially major personal data breach affecting Google employees.

But the data breach didn’t result from cunning hackers penetrating a vulnerable corporate network. It’s just another case of computers getting up and walking as a result of an old-fashioned burglary.

Valleywag reported July 2 on its Web site that Google employees hired before Dec. 31, 2005, received notices that their personal data, including Social Security numbers and birth dates had been compromised by a break-in at Colt Express Outsourcing Services, a payroll and human resources outsourcing company.

The Valleywag report says the break-in occurred at Colt Express on May 26 and Google informed employees on June 9 about the breach. As a result, employees are getting a free year of identity theft protection.

Google employees looking to get an explanation from Colt Express will find the company’s Web site is no help. The site only reports that the “home page will be reconstructed.”

The likely reason for the Colt Express site being down is that Ceridian, the giant payroll processing and human resources company that serves more than 25 million employees, announced in early February 2008 that it had acquired “certain assets” from Colt Express. Ceridian’s benefits services division is now providing services to Colt’s clients.

This latest case demonstrates again that poor physical security is a more prevalent cause of data breaches than remote hacking attacks. Most of the biggest data breaches reported over the past couple of years have resulted from laptop computers being lost or stolen.

This means that the solution to these problems is a combination of improved physical security at business offices of all kinds to make it harder to steal computers and new data protection services that attempt to erase or block access to storage disks after computers have been stolen.

On June 30, Dell started offering a set of services for its business computers that not only try to track missing or stolen laptops, but also attempt to remotely erase sensitive corporate data from a hard disk drive.

Such services are likely to become more prevalent as corporate IT managers learn that they haven’t truly secured employee and customer data until they implement some kind of effective system that tries to block access to data contained on the hard disks of lost and stolen computers.