Although IBM is part of an industry alliance that advises businesses to encrypt their customer data, the company is in the awkward position of looking for data on its own employees that was not cloaked.
The tech giant is blaming a third-party vendor for losing data tapes that contain the personal information of former employees.
The lost data includes dates of birth, Social Security numbers, addresses, lengths of employment and other private information, said IBM spokesman Fred McNeese. He would not say how many tapes were lost or how many former employees were affected.
A third-party vendor lost the data on Feb. 23, McNeese said, when IBM hired it to transport the tapes from IBM's corporate headquarters to permanent storage. McNeese refused to disclose the name of that third-party vendor, but confirmed that IBM's relationship with the company continues.
He said IBM is currently planning measures to prevent this type of data loss again. He refused to disclose the specifics of those plans, but they likely fall in line with recommendations from the Cyber Security Industry Alliance (CSIA), an organization to which IBM belongs, according to a CSIA spokeswoman.
In a section on CSIA's Web site titled, "What is a 'data breach' and how does it occur?" the site reads, "Data breaches occur in a variety of ways." One of the most common ways, according to the site, is when "tapes containing data backups or transfers disappear in transit."
CSIA suggests encrypting the data so it cannot be easily read if it falls into the wrong hands.
IBM, in fact, has been offering data tape encryption since last fall.
"Encryption scrambles data in a way that makes it unreadable except by individuals with proper keys and credentials, and thus useless to thieves and unauthorized individuals," the CSIA site reads.
CSIA recommends that federal laws be passed to require companies to encrypt personal data.
McNeese said that IBM did not encrypt all of the data stored on the missing tapes, despite its listing as a "principal" member of the CSIA, adding that there are no indications that anyone has accessed the personal data.
To ensure that the former employees whose data was stored on the tapes do not become victims of identity theft, IBM hired data-security firm Kroll to monitor the former employees' credit for the next year. It was an ex-employee who received letters from Kroll who tipped the Associated Press, which first reported the story.
McNeese said IBM told the effected ex-employees about the lost data because "it was the right thing to do."
Article courtesy of Internet News