Computershare Says No Customer Data Exposed In Breach

The investor services company told Threatpost that an investigation has determined that data stolen by a rogue employee didn't contain shareholder data. However, the company still hasn't retrieved two USB drives containing company email and documents that outline some of Computershare's closely held business plans.

The statement came in response to a Threatpost report on Tuesday concerning an ongoing legal effort by the Australia-based firm to retrieve thousands of stolen, confidential documents from a former employee of the company's Canton, Massachusetts office. Computershare had warned in its complaint that data on "millions of shareholders" could potentially be at risk.

In an e-mail statement to Threatpost, Computershare senior marketing manager Jeff Stein said that, since filing an amended complaint against former employee Kathyann Pace in March, the company has completed an internal investigation that no client or shareholder data was compromised in the theft.

However, Computershare acknowledges that Pace, who worked as an internal auditor for the firm, absconded with information that could potentially be compromising to Computershare’s competitive position in the marketplace. That information included the results of internal audits, as well as operational details and plans for the company's U.S. lines of business.

The case, which was filed in February, 2011, remains open, with Pace charged with violations of the U.S. Computer Fraud and Abuse Act. At issue is her refusal to return two USB drives that a forensic investigation by Computershare determined were used to store thousands of pages of company documents after they were copied from Pace's work laptop.

Pace claims that she lost the USB drives, but Computershare's analysis of Pace's personal laptop suggests that she was in possession of them even while telling the company that she could not locate the drives.

Stein said that Computershare discovered the breach after an internal investigation, but that responsibility for the breach lies squarely with Pace.

"This incident did not involve a breakdown in company process or procedure but rather a breach of duty by one employee, acting outside well-known company policies and obligations under the terms of their employment," Stein wrote.

"By moving swiftly against the employee and working through the court system, the company was able to protect its own confidential information," he said.

The case and Computershare's investigation of Pace's activity continue, Stein wrote.

Attacks by rogue insiders are among the most damaging to firms and the most difficult to defend against. Studies have shown that most firms don't have the ability to monitor information leaks from within their company.

Commenting on this Article is closed.