Salvation Army Data Breach Compromises Employee Background Check Information
A recent breach of a background check company contracted by the Salvation Army, among other organizations and companies, may have compromised the sensitive personal information of 100,000 people nationwide, according to a recent report from a Georgia CBS affiliate. Sources say that the background check company had information about their clients' employees and applicants on a laptop that was stolen out of a car, all the way back in May. Information contained on the computer ranged from personal details like names, addresses, and dates of birth, to more even more sensitive information, like Social Security Numbers. In the wrong hands, the information could lead to identity theft and other fraudulent crimes.
Salvation Army, the well-known Christian charitable organization with locations and presences all over the world, was just one of the many clients of the breached background check company. In fact, according to the CBS report, only 86 Salvation Army applicants were even compromised, just a fraction of a percent of the 100,000 people who may have been compromised in total.
The background check company that lost the computer isn't entirely sure how much client information someone might be able to access using the laptop. The 100,000-person figure, then, is merely an approximate or estimate that the firm revealed in a press release about the situation. The press release also noted that the laptop was password protected, and that there are so far no known cases of any data from the computer being exploited in any way.
The big question with this situation is why the sensitive personal information of so many different clients and applicants was contained on a laptop at any one time. It's a reminder that companies, when looking to hire background check firms, need to ask serious questions about the policies those firms have in place to delete and/or dispose of client information once background check reports have been delivered. As a Salvation Army representative interviewed in the CBS article cited above said, this breach was just of an employee laptop, not a company server containing all of the background check firms files. Why was so much information saved on a single employee laptop, considering the fact that a single employee could not possibly be working on 100,000 different background check reports at any one time, or even, probably, in any one year.
The other question is why an employee with a laptop containing the sensitive information of a hundred thousand different people knowingly left that laptop unattended at any time, let alone in a car, out of which laptops, phones, and other electronics are often stolen. Doing so was irresponsible to say the least, and puts countless people in harm's way, simply because they applied for jobs with companies that used this particular firm to run background checks.
Mistakes do happen and are understandable. Still, this situation should remind companies that they owe it to the people they hire, and the people they don't, to always observe safe and secure policies for storing or destroying documents containing personal employee/applicant information. And since secure information almost always needs to be passed on to background check companies to make applicant and employee screenings possible, employers need to know that those background check firms are observing the best policies to secure or dispose of that information as well.