tapes, disks and sticks
This page highlights recent examples of exposure of personal
information through loss of computer tapes or disks or
memory sticks, including misplacement or theft during
It covers -
Media coverage of the net has led many people to believe
that media such as computer tapes and disks are no longer
used for transporting and archiving large volumes of data,
presumably having been replaced by the net or by secure
private networks. In fact substantial volumes of information
still travel by physical media and and are copied onto
tape or disk for remote storage.
It is clear that the protocols used by some organisations
and individuals for safeguarding that information are
defective. Some organisations have sought to minimise
costs by using standard transport arrangements, despite
criticisms that items get misplaced by couriers and airlines
or pocketed by transport personnel (eg baggage handlers).
Inadequacies in transport become of particular concern
when the data custodians have failed, through for example
a poor assessment of risks, to restrict access to media
that do go astray. Finance industry figures have commented
that particular organisations did not encrypt major data
collections because that would involve delays or otherwise
require additional expenditure.
BoA, IBM and Chase
In 2004 the Bank of America lost unencrypted tapes with
account information on 1.2 million US federal employee
credit cards, including US senators. The tapes went missing
during shipment across the US to a remote site.
The bank commented that
with federal law authorities, have done a very robust,
thorough investigation on this and neither we nor they
would make the statement lightly that we believe those
tapes to be lost
of the crueller referred to that as the Mandy Rice-Davies
excuse, commenting "they would say that, wouldn't
Canada lost Alberta government pension tapes and fiche
in 2005. The incident is interesting not for the size
of the exposure - the tapes held data about 77 pension
refund cheques - but for the cavalier way the loss was
The Alberta Information & Privacy Commissioner notes
that there was no tracking of computer tape shipments
between IBM and its agent, no tracking of delivery of
microfiche from that agent to IBM, and that IBM waited
two months before disclosing the breach. In 2007 IBM lost
an undisclosed number of tapes holding employee archival
information "such as your Social Security number,
your dates of employment with IBM, birth date, contact
information such as your address, and your IBM work history".
Ooops. IBM advertised in a local newspaper to ask for
the return of the tapes. Some of the tapes were encrypted.
IBM offered its personnel a year of a credit-monitoring
In 2006 Chase Card Services (a division of JP Morgan Chase)
notified 2.6 million current and former Circuit City credit
card account holders that computer tapes containing their
personal information had been inadvertently sent to the
trash. It indicated that it believed the tapes were safely
"buried in a landfill" somewhere but nevertheless
offered those consumers one year of free credit monitoring.
Iron Mountain and Ameritrade
Unencrypted personal data on 600,000 current and former
Time Warner employees from 1986 onwards went missing during
shipment to the Iron Mountain data repository
During the same year Ameritrade "misplaced"
some 200,000 customer records on a lost backup tape in
Citigroup and City National
Tapes holding 3.9 million unencrypted consumer records
of active and closed accounts went missing during shipment
by UPS from CitiFinancial to credit reference agency in
CitiFinancial apologised, commented it "has no reason
to believe that the information has been used inappropriately",
offered customers free enrollment in a credit-monitoring
service for 90 days (although critics note that the average
time for victims to become aware of the theft is 12 months,
with a further 175 hours and US$808 out-of-pocket expenses
spent clearing their names) and announced that it has
stopped delivering computer tapes by courier.
Los Angeles-based City National announced in 2005 that
it had lost two backup tapes. Those tapes went missing
in transit to a secure repository. It is unclear whether
they ended up as landfill, as streamers for a children's
party or something misused by criminals.
Marriott Vacation Club, the timeshare unit of Marriott
International, announced that personal data (including
Social Security numbers, bank and credit card numbers)
for over 206,000 employees, timeshare owners and timeshare
customers featured on backup computer tapes that "went
missing" from the group's Florida office in 2005.
It announced plans "to search for the tapes, to determine
how they disappeared and monitor accounts for any unusual
activity or possible misuse" and commented
regret this situation has occurred and realize this
may cause concern for our associates and customers.
The UK Register reported that a Deloitte &
Touche CD containing information on around 9,000 McAfee
personnel was left in an aircraft seat pocket in 2006,
exposing social security numbers and other information
about those employees.
In Australia an army officer merely left a CD in a machine
in the executive lounge of Melbourne airport. That disk
contained a confidential report regarding the controversial
death of an Australian serviceman in Iraq, strengthening
criticism after the government somehow returned another
person's body to the serviceman's family.
Just as embarrassingly, details of 3500 Australian customers
from 18 banks, including names and account numbers, featured
on a memory stick lost by a representative of the Australian
High Tech Crime Centre during transit to an international
meeting on phishing in April 2005.
The information formed part of a classified dossier on
Russian mafia internet scams. Loss of the stick sparked
an "exhaustive" but unsuccessful search by Australian
Federal Police of hotels and airports in Sydney, Singapore
and London. The AHTCC did not inform the bank customers
(who had already fallen victim by providing details in
response to bogus email requests) and reportedly persuaded
the banks not to alert those people, arguing that publicity
would alert new criminals to the stick's existence.
A few months later dossiers, a list of corruption operation
names and computer disks relating to police corruption
investigations were stolen from an unattended Office of
Police Integrity car in East Melbourne. They were recovered
later the same day.
CIBC and BNYM
The Canadian Imperial Bank of Commerce reported in 2007
that it had lost a computer hard drive that featured the
personal financial information of around 470,000 mutual
fund customers. The information, from current and former
customers, includes names, addresses, signatures, dates
of birth, account numbers, beneficiary information and
social insurance numbers. The drive disappeared while
being moved from Montreal to Toronto.
In 2008 the Bank of New York Mellon reported that "sensitive
data" regarding over 4 million people owning shares
in listed companies was exposed after a box of back-up
storage tapes went missing in February. The unencrypted
data included names, addresses, and Social Security numbers.
The same year saw UK data processor Graphic Data, disclose
that its Mail Source subsidiary had used eBay to sell
a personal computer that featured unencrypted personal
data regarding some one million bank customers. The data
included bank account numbers, phone numbers, mothers'
maiden names and signatures of one million customers of
American Express, NatWest and the Royal Bank of Scotland.
The company commented that the employee who sold the computer
had made an "honest mistake" in what had been
an "isolated incident".
One data loss may be misfortune; recurrent loss looks
In 2006 major US insurer WellPoint learned that electronic
backup tapes with information on 196,000 members had been
stolen from Concentra, a commercial data warehouse service.
In March 2007 WellPoint advised that a compact disc holding
unencrypted personal data about 75,000 members had been
lost by a subcontractor dealing with Magellan Behavioral
Services, a specialist in monitoring mental health and
substance abuse treatment. The data included patient names,
Social Security numbers, health plan identification numbers
and a description of medical services back to 2003.
In 2007 the Georgia Department of Community Health reported
that a computer disk containing names, birth dates and
Social Security numbers of 2.9 million Medicaid and children's
health care recipients went missing during shipment by
data processor Affiliated Computer Services. ACS had featured
in loss of Motorola data highlighted in the following
page of this note.
In May 2007 the US Transportation Security Administration
(TSA), an arm of the Homeland Security Department, reported
theft of an external hard drive holding une-encrypted
personal data on 100,000 of its employees. The data included
payroll information, bank accounts, birth dates and social
security numbers, leave data, and details of financial
allotments and deductions. The union responsible for federal
government employees responded by moving towards a class
action; the TSA offered a year of credit-monitoring services.
In May 2007 Alcatel-Lucent revealed that a disk featuring
the names, addresses, Social Security numbers, birth dates
and salary data for Lucent employees, family members and
dependents had been lost or stolen between April 5 and
May 3. The company offered free credit monitoring for
one year and, in line with the usual statements, commented
recognize that we have a responsibility to carefully
protect this type of information and deeply regret the
loss. We are taking steps to prevent this from happening
in the future. In the meantime, we will provide information
and assistance to our employees and retirees to help
them minimize any potential risk this incident could
create for them.
2007 the UK government disclosed that the personal records
of 7.25 million families (some 25 million people) claiming
child benefit - including dates of birth, addresses, bank
accounts and national insurance numbers - were on CDs
that went missing while being sent by courier to the National
Audit Office (NAO) in London. The loss was not discovered
for three weeks.
The disks were password protected but the data was apparently
not encrypted. Ironically, a junior official at HM Revenue
& Customs (UK counterpart of the ATO) sent a set of
replacement disks by standard mail, in breach of security
rules. Those disks arrived. The head of the NAO claimed
that senior managers at Revenue & Customs knew of
and approved the policy of sending unedited copies of
whole databases of sensitive personal details through
the post, allegedly justifying the practice by advising
him that it was "too expensive" to delete sensitive
information from the copies.
Shortly thereafter the government revealed that a hard
drive had gone AWOL in a contractor's premises in the
US. The drive featured the names, addresses, phone numbers,
email addresses, test centre and a payment code for over
three million candidates for a theory test taken by learner
drivers in Britain. Individuals were not being informed
because banking details were not included in the lost
data. The Minister said "I apologize for any uncertainty
or concern that these individuals may experience",
concurrently reporting that two discs containing the details
of 7,500 vehicles and the names and addresses of their
owners had been "lost in transit".
In 2008 the government revealed that PA Consulting - a
major contractor working for the Home Office - had lost
an unencrypted memory stick featuring personal details
of all 84,000 prisoners in England and Wales. Those details
included the names, birth dates and release dates of most
inmates, along with the home addresses of around 40,000
inmates, "personal details and intelligence on 33,000
serious offenders" and information on people in drug
Critics responded that the loss meant informants could
be at risk of reprisals, named offenders may seek rehousing
or police protection from vigilantes and individuals could
Later in the year the government revealed that an unencrypted
hard disk containing personal details of 5,000 prison
officers "went missing" in mid 2007. The disk
included names, birth dates, National Insurance numbers
and prison service employee numbers.
next page (laptops)