title for Data Losses note
home | about | site use | resources | publications | timeline |::| blaw

overview

networks

tapes

laptops

sale

law

prevention

responses

studies

costs



















related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust





related pages icon
related
Profiles
& Notes:

ID Theft,
ID Fraud

















section heading icon     tapes, disks and sticks

This page highlights recent examples of exposure of personal information through loss of computer tapes or disks or memory sticks, including misplacement or theft during shipping.

It covers -

     introduction

Media coverage of the net has led many people to believe that media such as computer tapes and disks are no longer used for transporting and archiving large volumes of data, presumably having been replaced by the net or by secure private networks. In fact substantial volumes of information still travel by physical media and and are copied onto tape or disk for remote storage.

It is clear that the protocols used by some organisations and individuals for safeguarding that information are defective. Some organisations have sought to minimise costs by using standard transport arrangements, despite criticisms that items get misplaced by couriers and airlines or pocketed by transport personnel (eg baggage handlers).

Inadequacies in transport become of particular concern when the data custodians have failed, through for example a poor assessment of risks, to restrict access to media that do go astray. Finance industry figures have commented that particular organisations did not encrypt major data collections because that would involve delays or otherwise require additional expenditure.

     BoA, IBM and Chase

In 2004 the Bank of America lost unencrypted tapes with account information on 1.2 million US federal employee credit cards, including US senators. The tapes went missing during shipment across the US to a remote site.

The bank commented that

we, with federal law authorities, have done a very robust, thorough investigation on this and neither we nor they would make the statement lightly that we believe those tapes to be lost

One of the crueller referred to that as the Mandy Rice-Davies excuse, commenting "they would say that, wouldn't they".

IBM Canada lost Alberta government pension tapes and fiche in 2005. The incident is interesting not for the size of the exposure - the tapes held data about 77 pension refund cheques - but for the cavalier way the loss was handled.

The Alberta Information & Privacy Commissioner notes that there was no tracking of computer tape shipments between IBM and its agent, no tracking of delivery of microfiche from that agent to IBM, and that IBM waited two months before disclosing the breach. In 2007 IBM lost an undisclosed number of tapes holding employee archival information "such as your Social Security number, your dates of employment with IBM, birth date, contact information such as your address, and your IBM work history". Ooops. IBM advertised in a local newspaper to ask for the return of the tapes. Some of the tapes were encrypted. IBM offered its personnel a year of a credit-monitoring service.

In 2006 Chase Card Services (a division of JP Morgan Chase) notified 2.6 million current and former Circuit City credit card account holders that computer tapes containing their personal information had been inadvertently sent to the trash. It indicated that it believed the tapes were safely "buried in a landfill" somewhere but nevertheless offered those consumers one year of free credit monitoring.

     Iron Mountain and Ameritrade

Unencrypted personal data on 600,000 current and former Time Warner employees from 1986 onwards went missing during shipment to the Iron Mountain data repository

During the same year Ameritrade "misplaced" some 200,000 customer records on a lost backup tape in transit.

     Citigroup and City National

Tapes holding 3.9 million unencrypted consumer records of active and closed accounts went missing during shipment by UPS from CitiFinancial to credit reference agency in 2005.

CitiFinancial apologised, commented it "has no reason to believe that the information has been used inappropriately", offered customers free enrollment in a credit-monitoring service for 90 days (although critics note that the average time for victims to become aware of the theft is 12 months, with a further 175 hours and US$808 out-of-pocket expenses spent clearing their names) and announced that it has stopped delivering computer tapes by courier.

Los Angeles-based City National announced in 2005 that it had lost two backup tapes. Those tapes went missing in transit to a secure repository. It is unclear whether they ended up as landfill, as streamers for a children's party or something misused by criminals.

     Marriott

Marriott Vacation Club, the timeshare unit of Marriott International, announced that personal data (including Social Security numbers, bank and credit card numbers) for over 206,000 employees, timeshare owners and timeshare customers featured on backup computer tapes that "went missing" from the group's Florida office in 2005.

It announced plans "to search for the tapes, to determine how they disappeared and monitor accounts for any unusual activity or possible misuse" and commented

We regret this situation has occurred and realize this may cause concern for our associates and customers.

     Deloittes

The UK Register reported that a Deloitte & Touche CD containing information on around 9,000 McAfee personnel was left in an aircraft seat pocket in 2006, exposing social security numbers and other information about those employees.

In Australia an army officer merely left a CD in a machine in the executive lounge of Melbourne airport. That disk contained a confidential report regarding the controversial death of an Australian serviceman in Iraq, strengthening criticism after the government somehow returned another person's body to the serviceman's family.

     AHTCC

Just as embarrassingly, details of 3500 Australian customers from 18 banks, including names and account numbers, featured on a memory stick lost by a representative of the Australian High Tech Crime Centre during transit to an international meeting on phishing in April 2005.

The information formed part of a classified dossier on Russian mafia internet scams. Loss of the stick sparked an "exhaustive" but unsuccessful search by Australian Federal Police of hotels and airports in Sydney, Singapore and London. The AHTCC did not inform the bank customers (who had already fallen victim by providing details in response to bogus email requests) and reportedly persuaded the banks not to alert those people, arguing that publicity would alert new criminals to the stick's existence.

A few months later dossiers, a list of corruption operation names and computer disks relating to police corruption investigations were stolen from an unattended Office of Police Integrity car in East Melbourne. They were recovered later the same day.

     CIBC and BNYM

The Canadian Imperial Bank of Commerce reported in 2007 that it had lost a computer hard drive that featured the personal financial information of around 470,000 mutual fund customers. The information, from current and former customers, includes names, addresses, signatures, dates of birth, account numbers, beneficiary information and social insurance numbers. The drive disappeared while being moved from Montreal to Toronto.

In 2008 the Bank of New York Mellon reported that "sensitive data" regarding over 4 million people owning shares in listed companies was exposed after a box of back-up storage tapes went missing in February. The unencrypted data included names, addresses, and Social Security numbers.

The same year saw UK data processor Graphic Data, disclose that its Mail Source subsidiary had used eBay to sell a personal computer that featured unencrypted personal data regarding some one million bank customers. The data included bank account numbers, phone numbers, mothers' maiden names and signatures of one million customers of American Express, NatWest and the Royal Bank of Scotland.

The company commented that the employee who sold the computer had made an "honest mistake" in what had been an "isolated incident".

     Wellpoint

One data loss may be misfortune; recurrent loss looks like carelessness.

In 2006 major US insurer WellPoint learned that electronic backup tapes with information on 196,000 members had been stolen from Concentra, a commercial data warehouse service. In March 2007 WellPoint advised that a compact disc holding unencrypted personal data about 75,000 members had been lost by a subcontractor dealing with Magellan Behavioral Services, a specialist in monitoring mental health and substance abuse treatment. The data included patient names, Social Security numbers, health plan identification numbers and a description of medical services back to 2003.

In 2007 the Georgia Department of Community Health reported that a computer disk containing names, birth dates and Social Security numbers of 2.9 million Medicaid and children's health care recipients went missing during shipment by data processor Affiliated Computer Services. ACS had featured in loss of Motorola data highlighted in the following page of this note.

     DHS

In May 2007 the US Transportation Security Administration (TSA), an arm of the Homeland Security Department, reported theft of an external hard drive holding une-encrypted personal data on 100,000 of its employees. The data included payroll information, bank accounts, birth dates and social security numbers, leave data, and details of financial allotments and deductions. The union responsible for federal government employees responded by moving towards a class action; the TSA offered a year of credit-monitoring services.

     Alcatel

In May 2007 Alcatel-Lucent revealed that a disk featuring the names, addresses, Social Security numbers, birth dates and salary data for Lucent employees, family members and dependents had been lost or stolen between April 5 and May 3. The company offered free credit monitoring for one year and, in line with the usual statements, commented that

We recognize that we have a responsibility to carefully protect this type of information and deeply regret the loss. We are taking steps to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimize any potential risk this incident could create for them.

     UK government

In 2007 the UK government disclosed that the personal records of 7.25 million families (some 25 million people) claiming child benefit - including dates of birth, addresses, bank accounts and national insurance numbers - were on CDs that went missing while being sent by courier to the National Audit Office (NAO) in London. The loss was not discovered for three weeks.

The disks were password protected but the data was apparently not encrypted. Ironically, a junior official at HM Revenue & Customs (UK counterpart of the ATO) sent a set of replacement disks by standard mail, in breach of security rules. Those disks arrived. The head of the NAO claimed that senior managers at Revenue & Customs knew of and approved the policy of sending unedited copies of whole databases of sensitive personal details through the post, allegedly justifying the practice by advising him that it was "too expensive" to delete sensitive information from the copies.

Shortly thereafter the government revealed that a hard drive had gone AWOL in a contractor's premises in the US. The drive featured the names, addresses, phone numbers, email addresses, test centre and a payment code for over three million candidates for a theory test taken by learner drivers in Britain. Individuals were not being informed because banking details were not included in the lost data. The Minister said "I apologize for any uncertainty or concern that these individuals may experience", concurrently reporting that two discs containing the details of 7,500 vehicles and the names and addresses of their owners had been "lost in transit".

In 2008 the government revealed that PA Consulting - a major contractor working for the Home Office - had lost an unencrypted memory stick featuring personal details of all 84,000 prisoners in England and Wales. Those details included the names, birth dates and release dates of most inmates, along with the home addresses of around 40,000 inmates, "personal details and intelligence on 33,000 serious offenders" and information on people in drug intervention programmes.

Critics responded that the loss meant informants could be at risk of reprisals, named offenders may seek rehousing or police protection from vigilantes and individuals could seek compensation.

Later in the year the government revealed that an unencrypted hard disk containing personal details of 5,000 prison officers "went missing" in mid 2007. The disk included names, birth dates, National Insurance numbers and prison service employee numbers.







icon for link to next page   next page (laptops)

 


this site
the web

Google

version of August 2008
© Bruce Arnold
caslon.com.au | caslon analytics