Gap Inc.’s disclosure that it lost a laptop containing the personal information of 800,000 job applicants leaves me wondering what on earth they were thinking.
- Why were these applicant records stored on a laptop rather than accessible over a virtual private network (VPN)? Is convenience more important than privacy?
- The data was lost by an unnamed third-party provider. What service were they performing with the laptop?
- The data was unencrypted, apparently against Gap policy. Why?
- Some percentage of the applicants reportedly provided social security numbers. If you were going to analyze the applicant data, why would you also need the social security numbers?
- Do they know who stole it or why? Was it a former employee of the third-party provider? An investigation is underway, but it’s unclear whether law enforcement is involved.
The San Francisco retailer, which learned of the apparent data theft on Sept 19th, said it is notifying the applicants by mail. According to the company, the applicants applied online by phone for retail jobs at one or more of Gap Inc.’s brands in the U.S., Canada and Puerto Rico between July 2006 and June 2007.
The Gap is providing the apparent identify theft victims with a year of free credit monitoring services including fraud resolution assistance and a 24-hour helpline.
Undoubtedly, there will be pressure on the Gap to provide further answers, especially to privacy advocates and the impacted job seekers. Then again, this story might just fall into the you-know-what.
[...] Meanwhile, it was just one month ago that the news broke about the Gap’s lost laptop containing the personal information of 800,000 job applicants. That story died quickly but this one is less likely to go away so soon. Ironically, the Gap used to be one of the best companies to work for in America. [...]