IBM's February 2007 data breach exposed the personal information of all of its employees and former employees. China Tech News reported that the sensitive personal information of 1,000 IBM Shenzhen employees was disclosed by a supplier in China:
"Some IBM employees in Dalian reportedly were also victims of this identity theft scam. A Beijing-based company, which is one of the suppliers of IBM, had allegedly applied for the credit cards, which is called Foreign Enterprise Joint Name Card. Though the BOC outlet stated that it did not issue the credit cards since there were no signatures of the employees on the application forms, one of the employees from IBM said that his card had already been used."
According to Forbes Magazine, IBM moved its global procurement headquarters to Shenzhen, China in 2006. This was the first time the headquarters of a corporate-wide IBM division has been moved outside the USA. IBM reportedly has about 3,000 suppliers across Asia and employees in about 60 countries.
You'd think that by now IBM, a company that is frequently hired by other companies as a consultant about data breaches and computer security, would have this breach and supplier security situation figured out -- that it just wouldn't happen to IBM.
Just like in 2007, IBM is tight-lipped when it comes to details. IBM says it is investigating the latest breach and won't release the name of the supplier. In 2007, IBM never disclosed the name of its supplier, nor the results of its breach investigation. In 2007, IBM offered its breach victims 12 months of free credit monitoring with Kroll.
This week, IBM's X-Force released its 2009 Mid-Year Trend and Risk Report about the threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Several news media sources, including Internet News, ran the following quote about the report:
" 'The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,' said IBM X-Force Director Kris Lamb."
IBM should have added its supplier data breaches to the list of threats. Trust nobody indeed. Don't trust IBM either.