Personal data on 800,000 job applicants at Gap Inc. were exposed to potential identity fraud when a laptop belonging to a third-party contractor was stolen, the retailer acknowledged Friday.
Gap said in a Web site statement that a laptop containing the Social Security numbers of certain job applicants was recently stolen from the offices of an "experienced third-party vendor" that manages job applicant data for the San Francisco-based retailer.
"The company has begun notifying the job applicants whose Social Security numbers were included in the information on the laptop and is offering them a year of free credit monitoring services with fraud resolution assistance, along with a dedicated 24-hour helpline," The Gap said. The stolen data belongs to 800,000 people who applied online or by phone for store positions at one of Gap's stores -- including Old Navy and Banana Republic -- between July 2006 and June 2007.
The retailer did not name the third-party contractor tasked with managing the data, but was quick to point out that the contractor violated an agreement with Gap by not encrypting the data on the laptop.
"Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously," Gap Chairman and CEO Glenn Murphy said in the statement. "What happened here is against everything we stand for as a company. We're reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again."
He said Gap uses more than one vendor to manage job applicant data, and so not all people who applied to work for the company between July 2006 and June 2007 are affected.
Those who applied online or by phone for a job with the company between those dates should contact the Gap Inc. Security Assistance Helpline at 1-866-237-4007. Representatives are available 24 hours a day, seven days a week, the company said.
Dave Lewis, senior information security officer at the Independent Electricity System Operator (IESO) in Ontario, Canada, wrote in his Liquidmatrix blog that the security breach is particularly disturbing to him because of a recent experience he had in one of the retailer's stores in Las Vegas.
He wrote that when he emerged from a fitting room he was greeted by an employee who asked if he'd like to save 20% on his purchase. When he said yes, the woman asked if he could present a VISA or MasterCard and his Social Security number.
"I explained to her that I did not as I'm a Canadian," he said. "She frowned and said that she was sorry that they needed the SSN in order to give the discount. I was rather alarmed that the GAP wants to record SSN's from their customers."
He quickly observed that other shoppers did not share his distress. "When I got up to the cash register I listened intently as this question was posed to a few more shoppers," he said. "They handed over their information with blazing speed, never once asking why the company needed or wanted the information. So, now the GAP had their credit card info, their ZIP code and their Social Security number."
Given that experience, Lewis said it's creepy that the data on the stolen laptop wasn't encrypted.
The third-party vendor was also taken to task in a Breach Blog commentary noting that an experienced vendor "should know that human resources data is among the most sensitive data." Confidential data should not be on a laptop, but if it is it must be encrypted, the blog said.