Gap says the laptop was recently stolen from the offices of a third-party vendor that manages its job applicant data for Gap. Gap also says that contrary to its agreement with the vendor, the information on the laptop was not encrypted.
The laptop contains personal data for about 800,000 people who applied online or by phone for store positions at one of Gap’s brands between July 2006 and June 2007. The affected individuals applied for store positions with the company’s Old Navy, Banana Republic, Gap and outlet stores from the U.S., Puerto Rico and Canada. The laptop did not contain Canadian applicants’ “Social Insurance” numbers, Gap says.
Gap says it has no reason to believe the data contained on the computer was the target of the theft or that the personal information has been accessed or used improperly.
“Gap Inc. deeply regrets this incident occurred. We take our obligation to protect the data security of personal information very seriously,” Gap chairman and CEO Glenn Murphy said in a press release revealing the theft. “What happened here is against everything we stand for as a company. We’re reviewing the facts and circumstances that led to this incident closely, and will take appropriate steps to help prevent something like this from happening again.”
Gap spokeswoman Cynthia Lin declined to name the vendor involved. But one of Gap’s vendors, San Francisco-based recruiting software firm Taleo, issued a statement Friday saying that it was not the vendor in question.
Taleo representative Krista Canfield says Taleo had begun to receive inquiries about Gap’s data breach.
“We just wanted to make sure people were clear, and people understood that we were not involved,” she says.
Lin confirmed that Taleo was not involved.
The Gap incident comes on the heels of a security snafu at Internet job board titan Monster.com disclosed in August.
Gap says it has begun notifying the job applicants whose Social Security numbers were included in the information on the laptop and is offering them a year of free credit monitoring services with fraud resolution assistance, along with a dedicated 24-hour helpline. In addition, the company is posting information and updates at Web site it set up for the purpose, www.gapsecurityassistance.com.
Related content: Data Breach Laws: A Wake-up Call for HR