Complain about a product or service

800,000 Job Seekers At Risk In Gap Data Breach

Laptop containing applicant data stolen from contractor

by Martin H. Bosworth
ConsumerAffairs.com

October 1, 2007

The missing laptop contained data on job seekers from the United States and Puerto Rico who applied between July 2006 and June 2007, such as Social Security numbers. Canadian applicants' data was also on the laptop, but Social Insurance numbers were not included.

The Gap claimed that the unidentified vendor used by the company to process job applicant data stored the information on the laptop without encrypting it, a violation of The Gap's policies, according to company CEO Glenn Murphy.

“What happened here is against everything we stand for as a company," Murphy said. "We’re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.”

As is typical in data breach cases, The Gap claimed there was no evidence that the stolen information was being used for identity theft or fraud. The company also promised a free year of credit monitoring and fraud resolution services for affected applicants. The Gap also claimed it used multiple vendors to manage job applicant information, ensuring that not every applicant would be affected.

Too Many Fingers In The Pie

Outsourcing of business processes such as billing, payroll, and employee data to third parties has been a primary cause of data breaches in recent years. Third-party companies that handle personal data often do not adhere to the privacy standards of the companies or government agencies they are contracted to, and simply passing data through multiple hands increases the risk that it may be lost, stolen, or misused.

Business outsourcing company ACS misplaced a compact disc containing personal information on 2.9 million Georgia residents in April 2007. The company had been hired by Georgia's state government to handle health care billing and claims for its state Medicare administration and child health care program.

Government contracting agency SAIC transmitted information on 580,000 military personnel and their families without using encryption in July 2007. The information was also stored on an unsecured server, putting the individuals at greater risk of identity theft and fraud if the information was stolen.

And Connecticut sued Accenture in September 2007 for removing state bank account and taxpayer information from the state's computer system, which was later downloaded onto a laptop that was stolen from an intern for the Ohio state government. Accenture had been hired by both Connecticut and Ohio to handle upgrading and modernizing of the states' billing and payroll systems.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |