Eva Knott 4:04 a.m., May 23
Rubio's, the well-known Mexican fast food chain based in Carlsbad, says that a computer disk containing personal information on individuals, including the social security numbers of some company shareholders, has gone missing.
"On February 5, 2012, a CD-ROM containing a list of certain people who owned equity shares in Rubio's Restaurants, Inc. was taken offsite by a third-party vendor, BDO USA, LLP," according to a February 18 letter to those affected by the privacy breach.
The letter was posted online by the office of state Attorney General Kamala Harris, as required by state law when there are electronic security breaches involving more than 500 people.
"Rubio's contracted with BDO to perform financial auditing services," the document says. "A BDO employee removed the CD-ROM from site, where they believe it was stolen from her vehicle. This was a breach of protocol employed by both Rubio's and BDO."
"The CD-ROM contains a partial equity roll, which includes names and social security numbers,"
"The theft occurred in the Pacific Beach area of San Diego, California," the letter adds.
"Rubio's is diligently working with BDO and law enforcement to recover the property and to identify and prosecute those responsible for the theft.
"Rubio's does not presently know whether the thieves have any intention or means of committing identity theft, but you should contact all banks, financial institutions, and credit companies with whom you conduct business and alert these institutions of the theft.
"You should also contact one of the three major credit bureaus to monitor your credit report for any suspicious activity. You should immediately notify the credit bureaus if your credit reports show anything suspicious.
"You should also closely monitor your bank and credit card accounts."
The letter, signed by Rubio's senior risk manager Heidi Bastien, adds that the company and its contractor "are working together to ensure that security procedures are heightened so that this breach does not reoccur."
A subsequent letter from Bastien, dated Februry 28, warned that the breach also involved "certain information on workers compensation claimants, which includes claim numbers, date of loss, medical status and names.
"The medical status portion is very brief, consisting of a one-line summary of the employees' claim for injuries or illnesses.
"Please be assured that sensitive information such as social security numbers, addresses, telephone numbers, doctors' diagnoses and doctors' treatments were not included on the CD-ROM."
The letter added that "BDO is offering to provide you with free credit monitoring and fraud insurance for one year."
After being contacted this morning by phone regarding the current status of the breach, Rubio's issued the following statement:
"On February 5, Rubio’s Restaurants, Inc. was notified by our accounting firm of a data breach that specifically included the theft of a physical disc from one of its employees containing confidential information relating to a limited number of current and former Rubio’s employees.
"This confidential information did not include any personal information regarding any of our customers or credit card numbers.
"In accordance with state law, Rubio’s notified the Attorney General and all affected parties.
"Credit monitoring was offered to all affected parties and, to our knowledge, no individual has been adversely affected by this breach."