27 posts categorized "IBM" Feed

How the Crowd Led ProPublica to Investigate IBM

[Editor's note: today's guest post, by the reporters at ProPublica, discusses employment practices at a major corporation in the United States. The investigation is as interesting as the "Cutting 'Old Heads' At IBM" report. This also caught my attention because a data breach at IBM in 2007 led to the creation of this blog. Today's article is reprinted with permission.]

IBM logo By Ariana Tobin and Peter Gosselin, ProPublica

On March 22, we reported that over the past five years IBM has been removing older U.S. employees from their jobs, replacing some with younger, less experienced, lower-paid American workers and moving many other jobs overseas.

We’ve got documentation and details — most of which are the direct result of a questionnaire filled out by over 1,100 former IBMers.

We’ve gone to the company with our findings. IBM did not answer the specific questions we sent. Spokesman Edward Barbini said: “We are proud of our company and our employees’ ability to reinvent themselves era after era, while always complying with the law. Our ability to do this is why we are the only tech company that has not only survived but thrived for more than 100 years.”

We don’t know the exact size of the problem. Our questionnaire isn’t a scientific sample, nor did all the participants tell us they experienced age discrimination. But the hundreds of similar stories show a pattern of older employees being pushed out even when the company itself says they were doing a good job.

This project wasn’t inspired by a high-level leak or an errant line in secret documents. It came to us through reader engagement. Our investigation took us beyond some of our usual reporting techniques. We’d like to elaborate on this because:

  • We know readers will wonder how we sourced some pretty serious claims.
  • Many ex-employees trusted us with their stories and spent many hours in conversation with us. We think it’s good practice to let them know how we’ve used their information.
  • This is the probably the first time we’ve been pointed to a big project by a community of people we found through digital outreach. We hope that by sharing our experiences, we can help others build on our work.

IBMers found us

This project started as a conversation between the two of us, both reporters at ProPublica. Peter had taken on the age discrimination beat for reasons both personal and professional. Ariana was newly minted into a job called “engagement reporter.”

Ariana suggested that Peter write up a short essay on his own experiences of being laid off at 63 and searching for a job in the aftermath. We attached a short questionnaire to the bottom and headlined it: “Over 50 and looking for a job? We’d like to hear from you.

Dozens of people responded within the first couple of weeks. As we looked through this first round of questionnaires, we noticed a theme: a whole lot of information and technology workers told us they were struggling to stay employed. And those who had lost their jobs? They were having a really hard time finding new work.

Of those IT workers, several mentioned IBM right off the bat. One woman wrote that she and her coworkers were working together to find new jobs in order to “ward off the dreaded old person layoff from IBM.”

Another wrote: “I can probably help you get a lot more stories, contact me if you want to discuss this possibility.”

Another wrote: “Part of the separation agreement was that I not seek collective action against IBM for age discrimination. I was not going to sign as a law firm was planning to file a grievance. However they needed 10 people to agree and they could not get the numbers.”

… and then they connected us with more IBMers

We started making some calls. One of the first people we talked to was Brian Paulson, a 57-year-old senior manager with 18 years at IBM, who was fired for “performance reasons” that the company refused to explain. He was still job-hunting two years later.

Another ex-IBM employee told us that she had seen examples of older workers laid off from many parts of the company on a public Facebook page called WatchingIBM. Ariana spent a day looking through the posts, which were, as promised, crawling with stories, questions, and calls for support from workers of all kinds, as shown in the accompanying screenshot.

We decided to reach out to the page’s administrator, who was a longtime IBM workplace activist, Lee Conrad. He shared our age discrimination questionnaire in the group and more responses poured in.

With dozens of interviews already on the books, we decided to launch a second, more specific questionnaire — this time about IBM

We realized that we had been pointed toward an angry, sad and motivated group. The older ex-IBM workers we called were trying to figure out whether their own layoffs were unique or part of a larger trend. And if they were part of a larger trend... how many people were affected?

A major frustration we saw in comment after comment: These workers couldn’t get information on how many others had been forced out with them.

This was an information gap that immediately struck Peter, because that information is exactly what the law requires employers to disclose at the time of a layoff.

On top of that, many of these sources mentioned having been forced to sign agreements that kept them from going to court or even talking about what had happened to them. They were scared to do anything in violation of those agreements, a fear that kept them from finding out the answers to some big open questions: Why would IBM have stopped releasing the ages and positions of those let go, as they had done before 2014 to comply with federal law? How many workers out there believed they had been “retired” against their will? What did managers really tell their subordinates when the time came to let them go? Who was left to do all of their work?

So we wrote up another questionnaire asking those specific questions.

We learned from the responses, and also the response rate

We contacted people on listservs, found them on open petitions, joined closed LinkedIn networks, and followed each posting on ex-IBM groups. We tweeted the questionnaire out on days that IBM reported its earnings, including the company’s ticker symbol. We talked to trade magazines and IBM historians and organizers who still work at IBM. We bought ads on Facebook and aimed them toward cities and towns where we knew IBM had been cutting its workforce.

As the responses came in, we tried to figure out where most of them were coming from. To identify any meaningful trends, we needed to know who was answering, what was working, and why. We also realized that we needed to introduce ourselves in order to persuade anyone it was worth participating.

When something worked, we’d double down:

We know what worked the best: When people filled out the questionnaire they’d also share their contact information with us. So we asked them to forward the questionnaire around within their own networks:

And we got more leads

We read through all of the responses and identified themes: 183 respondents said the company recorded them as having retired by choice even though they had no desire to retire or flat-out objected to the idea. Forty-five people were told they’d have to uproot their lives and move sometimes thousands of miles from the communities where they had worked for years, or else resign. Fifty-three said their jobs had been moved overseas. Some were happy they’d left. Some were company luminaries, given top ratings throughout their career. Some were still fighting over benefits and health care. Some were worried about finding work ever again.

Inevitably, this categorization process led to us to identify new patterns as we went along, and as new responses accumulated. For each new pattern, we would go back and see how many people fit.

One of the first and most interesting such categories were the people who had received emails congratulating them on their retirement at the same time as they were informed of their layoff. We realized there would be power in numbers there, so we set up a SecureDrop for people who were willing to send us their paperwork.

Eventually, we also created a category called “legal action.” We’d stumbled upon support groups of ex-IBM employees who had filed formal complaints with the Equal Employment Opportunity Commission. Some sent us the company’s responses to their individual complaints, giving us insight into the way the company responded to allegations of discrimination. These seemed, of course, very useful.

In other words: we sent some rather complicated mass emails and were surprised over and over again by the specificity of the responses:

IBM undoubtedly has information that would shed light on the documents, its layoff practices or the overall extent and nature of its job cuts. The company chose not to respond to our questions about those issues.

So we tried to answer ex-IBMers’ questions ourselves, including one of the most basic: How many employees ages 40 and over were let go or left in recent years?

IBM won’t say. In fact, over the years, the company has stopped releasing almost all information about its U.S. workforce. In 2009, it stopped publishing its American employment total. In 2014, it stopped disclosing the numbers and ages of older employees it was laying off, a requirement of the nation’s basic anti-age bias law, the Age Discrimination in Employment Act (ADEA).

So we’ve sought to estimate the number, relying on one of the few remaining bits of company-provided information — a technique developed by a veteran financial analyst who follows IBM for investors — as well as patterns we spotted in internal company documents.

We began with a line in the company’s quarterly and annual filings with the U.S. Securities and Exchange Commission for “workforce rebalancing,” a company term for layoffs, firings and other non-retirement departures. It’s a gauge of what IBM spends to let people go. In the past five years, workforce rebalancing charges have totaled $4.3 billion.

The technique was used by veteran IBM analyst Toni Sacconaghi of Bernstein Research. Sacconaghi is a respected Wall Street analyst who has been named to Institutional Investor’s All-America Research Team every year since 2001. His technique and layoff estimates have been widely cited by news organizations including The Wall Street Journal and Fortune.

Some years ago, Sacconaghi estimated that IBM’s average per-employee cost for laying off a worker was $70,000.

Dividing $4.3 billion by $70,000 suggests that during the past five years IBM’s worldwide job cuts totaled about 62,000. If anything, that number is low, given IBM executives’ comments at a recent investor conference. Internal company documents we reviewed suggest that 50 to 60 percent of cuts were made in the U.S., with older workers representing roughly 60 percent of those. That translates to about 20,000 older American workers let go.

Our analysis suggests the total of U.S. layoffs is almost certainly higher.

First, as Sacconaghi said in a recent interview, IBM’s per-employee rebalancing costs are likely much lower now because, starting in 2016, the company reduced severance payments to departing employees from six months to just 30 days. That means IBM can lay off or fire more people for the same or lower overall costs.

Second, because, as those ex-IBMers told us, the company often converts their layoffs into retirements, the workplace rebalancing numbers don’t tell the whole story.

Right below the line for “workforce rebalancing” in its SEC filings, IBM adds another line for “retirement-related costs,” which reflects how much the company spends each year retiring people out. Some — perhaps a substantial amount of that — went to retirements that were less than fully voluntary. This could add up to thousands more people.

By coming up with answers and investigating in the open, we’ve gotten more sources

Many of the conversations we’ve had during our reporting didn’t make it into the final story. People allowed us to review internal company documents. They let us see long email exchanges with their managers. They dug back through closets and garages to find memos they had saved out of frustration or fatigue or just plain anger.

We can’t go into detail about all of the ways the community helped us report out this story, because we also promised many of our sources that we would protect their confidentiality. The beauty is that they talked to us anyway. They knew where to find us, because our contact information had been spread far and wide.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


ProPublica Seeks Input From Former IBM Employees

IBM logo This news item immediately caught my attention, since a data breach in 2007 at IBM Inc. was the original inspiration for this blog. And the tech company had another breach in 2009. The company has struggled against other tech companies.

Earlier this month, IBM completed a blockchain trial with Westpack and ANZ. According to Yahoo News and Zacks Equity Research, blockchain:

"... is a kind of distributed database and works as an online ledger that cannot be altered or breached easily. The use of such technologies in the banking and finance sector is aimed at reducing the possibility of losing valuable data as well as minimizing the rate of cybercrime in the finance industry.

Notably, IBM is one of major players in the Blockchain market. This is the second significant deal for the company in this technology space..."

The reporters at ProPublica seek input from former IBM employees who left the company during the last few years. Why? The computing and technology company has:

"... been upending its workforce, often with painful results for longtime employees. According to one estimate, IBM’s U.S. employment, which peaked at 230,000, had dropped to about 70,000 by mid-2015, largely the product of layoffs and retirements. And six weeks ago, IBM told thousands of its telecommuting employees to start reporting to particular offices, which in many cases would involve long-distance moves. That, or resign. As a result, hundreds, perhaps thousands, more IBMers are leaving the company.

IBM has long been a corporate leader in employment practices. That means the way it treats its employees speaks volumes about what lies ahead for working people everywhere. But IBM executives won’t tell their workers or the public how many people are leaving this year. They refuse to provide the numbers for 2016, 2015, or 2014 either, to explain the logic behind who gets tapped to go, or exactly how the departures fit into a larger strategy.

We’re asking you to help us get the numbers and, with them, answers."

Former IBM employees interested in providing input should complete this brief questionnaire at the ProPublica site.


Apple News: Electronic Book Price Fixing Settlement; IBM Partnership; EU Concerns About In-App Purchases By Children

Last week, the Office of the Massachusetts Attorney General (AG) announced a settlement with Apple Inc. regarding electronic book (a/k/a e-book) price fixing allegations. AGs from 33 states had filed lawsuits against the company:

"Contingent upon the resolution of Apple’s appeal of a U.S. District Court verdict from 2013, consumers nationwide will receive a total of $400 million, with Massachusetts consumers estimated to receive more than $12 million in refunds.The agreement also remains subject to approval by the U.S. District Court for the Southern District of New York."

Additional details about the Apple settlement:

"The exact amount of consumer relief is contingent upon the affirmation of a U.S. District Court’s July 2013 verdict that Apple violated federal and state antitrust laws by orchestrating a conspiracy with five publishers – Penguin Group (USA), Inc. (now part of Penguin Random House); Holtzbrinck Publishers LLC d/b/a Macmillan; Hachette Book Group Inc.; HarperCollins Publishers LLC; and Simon & Schuster Inc. – to artificially raise prices for E-books between 2010 and 2012 in order to eliminate retail price competition."

Information about the publishers' settlement:

"E-book purchasers nationwide are already entitled to refunds totaling $166 million in settlement funds paid by the five publishers involved in the conspiracy. Massachusetts consumers are due more than $5 million from these funds in compensation pursuant to these settlements."

Martha Coakley, the Massachusetts AG, said in a statement:

“Price collusion amongst competitors is unacceptable and this agreement will ensure that those responsible are held accountable... We are hopeful that this settlement will go through so that affected consumers can receive significant refunds as a result of these violations.”

New York State AG Eric T. Schneiderman said in a statement:

"... the biggest, most powerful companies in the world must play by the same rules as everyone else... We will continue to work with our colleagues in other states to ensure that all companies compete fairly with the knowledge that no one is above the law.”

Good. I applaud the AGs with this enforcement action. In related news, Apple announced a partnership with IBM Inc. to:

"... redefine the way work will get done, address key industry mobility challenges and spark true mobile-led business change—grounded in four core capabilities:

1. a new class of more than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
2. unique IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
3. new AppleCare® service and support offering tailored to the needs of the enterprise; and
4. new packaged offerings from IBM for device activation, supply and management."

Meanwhile, many parents in Europe are concerned about how app-based games are marketed. Engadget reported last week:

"... while Google addressed its concerns around games with in-app purchasing, Apple has yet to offer a strategy. Following hordes of complaints by outraged parents, the EU asked both companies to implement changes to the way they sell such apps in their stores. Those include not misleading consumers about supposedly "free" games, not "directly exhorting" children to buy in-game items, thoroughly informing customers about payment arrangements and forcing game-makers to provide contact information."

The request by the European Commission and the Consumer Protection Cooperation (CPC) Network included:

"1. Games advertised as "free" should not mislead consumers about the true costs involved;
2. Games should not contain direct exhortation to children to buy items in a game or to persuade an adult to buy items for them;
3. Consumers should be adequately informed about the payment arrangements for purchases and should not be debited through default settings without consumers’ explicit consent;
4. Traders should provide an email address so that consumers can contact them in case of queries or complaints."

The Engadget news article also included this statement by Apple:

"... over the last year we made sure any app which enables customers to make in-app purchases is clearly marked. We've also created a Kids Section on the App Store with even stronger protections to cover apps designed for children younger than 13. These controls go far beyond the features of others in the industry. But we are always working to strengthen the protections we have in place, and we're adding great new features with iOS 8, such as Ask to Buy, giving parents even more control over what their kids can buy on the App Store..."

This statement was after a $32.5 million settlement in March 2014 with the U.S. Federal Trade Commission (FTC):

"... a final order resolving FTC allegations that Apple Inc. unfairly charged consumers for in-app purchases incurred by children without their parents’ consent... by March 31, 2014, Apple must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for in-app purchases. Apple also must provide full refunds, totaling a minimum of $32.5 million, to consumers who were billed for in-app purchases that were incurred by children... Should Apple issue less than $32.5 million in refunds to consumers within the 12 months after the settlement becomes final, the company must remit the balance to the Commission. By April 15, 2014, Apple must notify all consumers charged for in-app purchases with instructions on how to obtain a refund for unauthorized purchases by kids."

In-app purchases can be expensive. Experts advise parents to closely monitor their children's game activity.


IBM To Move 110,000 Retirees From Its Sponsored Health Care Plan To Private Exchanges. Other Companies Plot Similar Moves

IBM, Inc. logo Earlier this week, IBM announced that it will move about 110,000 Medicare-eligible retirees from its current company-sponsored health plan to private health care insurance exchanges. Retirees will receive payments towards the cost of health care through exchanges.

While IBM denied that costs were the reason for the move, the news report stated that experts have estimated Medicare costs to triple by 2020. So, while the move may not save IBM any money today, it seems the company's decision is clearly cost-related -- to save itself money in the future.

Reportedly, the new plan for IBM retirees will start January 1, 2014. According to the Chicago tribune:

"IBM also said it was hosting meetings with groups of retirees across the country to inform them about the move to the country's largest private Medicare Exchange. While some retirees may be skeptical, studies showed that the majority of people have a more positive outlook once they were presented with the concept and understood the options available to them through these exchanges..."

Health care exchanges were created under the 2010 Affordable Health Care Act. At many health care exchanges, open enrollment will begin on October 1, 2013. A health care exchange is:

"... a regulated marketplace where consumers can more easily compare insurance plans through the Internet, on the phone, or through an official helper, called a “navigator.” Consumers can also find out if they qualify for Medicaid -- the jointly run federal/state health care program for the poor -- or for a federal subsidies to help pay for the insurance... They are for small businesses and people who don’t have access to affordable insurance through an employer or are not already enrolled in a government program, such as Medicare."

Experts have projected that the shift to private health care exchanges will affect both retirees and current employees. (I'll bet you didn't know that.) The projections include 1 million workers enrolled in private health care exchanges in 2013, increasing to perhaps 40 million workers in 2018.

United Parcel Service logo Other companies have announced similar health care plan changes for their retirees, including General Electric and Time Warner. Last month, the United Parcel Service announced that it will stop health care coverage for employees' spouses, who can get coverage through another employer's plan:

"By denying coverage to spouses, employers not only save the annual premiums, but also the new fees that went into effect as part of the Affordable Care Act. This year, companies have to pay $1 or $2 “per life” covered on their plans, a sum that jumps to $65 in 2014. And health law guidelines proposed recently mandate coverage of employees’ dependent children (up to age 26), but husbands and wives are optional... next year, 12% of employers plan to exclude spouses, up from 4% this year, according to a recent Towers Watson survey."

Local leaders in some states, such as North Carolina, are hosting forums to explain to residents what health care exchanges are and how they operate. The insurance commissioner in Maryland has already published rates available in the state's new health care exchange; with some rates are as low as $122 per month.

What is your opinion of private health care exchanges? What is your opinion of employers that no longer cover their employees' spouses?


Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

  • During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
  • During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

  1. Be ready to give out some personal information.
  2. Know that a third-party will gain access to your personal information.
  3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).


A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?


Texas / IBM Data Center Project Failure

A good friend, Michael Krigsman, writes an excellent blog: IT project failures. The reasons vary for project failures and some are data breaches. His blog deserves a mention here because a recent post discussed a project involving IBM Corporation, a company I have had some direct experience with. Michael wrote:

"The Texas Department of Information Resources (DIR) sent IBM a “Notice to Cure,” accusing the large system integrator of failing to perform its obligations on a data center consolidation contract worth $863 million. According to an internal report prepared by the department, this is a case of the “blind leading the blind,” with both parties at fault."

Ouch! Harsh words. Sad state of affairs for a project.


IBM Distributes Virus-Infected USB Drives at Security Conference

International Business Machines logo Long-time readers know that I named this blog to honor the company that lost my sensitive personal data during a February 2007 data breach. Since then, i try to give IBM the media attention it earns.

Last week, InformationWeek magazine reported that IBM gave attendees at the AusCERT information security conference in Australia virus-infected infected USB thumb drives. IBM followed up this snafu with an apology via e-mail. The InformationWeek article contains the text of the e-mail message.

Nobody at IBM bothered to check the USB thumb drives before distributing them to conference attendees? Wow! And this occurred at a security conference, too.

If I ever received a free USB drive from the leading computer and security company worldwide, that advises other companies how to deal with data breaches, I'll be sure to scan it with anti-virus software first.


Survey: Ponemon Lists The Top 20 Most Trusted Firms For Privacy

Ponemon Institute released last month its list of the 20 most trusted companies for privacy. The list is compiled from an annual survey of 6,627 adults in the United States. Survey participants were asked to rank their most trusted companies from a list of companies provided. Highlights from this year's survey:

"Among the brands that made the top twenty were four not listed in the previous study, including Google, Weight Watchers, Walmart, and AT&T. Of the companies listed last year, Facebook, AOL, and eLoan did not make the 2010 list. 2009 was a tumultuous year for privacy, as illustrated by Facebook’s drop out of the top twenty in a year when they found themselves at the center of a very public debate over the evolution of their privacy policies and settings."

It's good to see that there is a "cost" when a Web site or company has confusing or constantly changing privacy policies and rules. Some other highlights:

"Consumers feel they are losing control of personal information: Only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006."

The next finding definitely caught my attention:

"Identity theft is top of mind: 59 percent of consumers said fear of identity theft was a major factor in brand trust diminishment, and 50 percent said notice of a data breach was a factor. Other significant threats to brand trust were abuse of civil liberties and annoying “background chatter” in public venues."

The Top 10 most-trusted companies for privacy (with their prior year ranking in parentheses):

1. American Express (1)
2. IBM (3)
3. Johnson & Johnson (5)
4. Hewlett Packard (6)
5. E-bay (2)
6. U.S. Postal Service (6)
7. Procter & Gamble (7)
8. Amazon.com (4)
8. Nationwide (9)
9. USAA (11)
10. WebMD (13)

Google was ranked #13. Read the press release to browse the complete list of all twenty ranked companies. I'll be a number of CEOs are wondering how the United States Postal Service outranked them. Who says that a government agency doesn't work well?

AT&T's jump up the list could be related to the telecommunications company's public statement about its behavioral targeting policy, which is more consumer-friendly than most companies. Then again, maybe the public has forgotten about AT&T's role with internal spying.

For a year-to-year comparison of the top 20 companies for privacy, see Mike Spinney's blog at the Ponemon site.


IBM Experiences Another Data Breach

IBM logo IBM's February 2007 data breach exposed the personal information of all of its employees and former employees. China Tech News reported that the sensitive personal information of 1,000 IBM Shenzhen employees was disclosed by a supplier in China:

"Some IBM employees in Dalian reportedly were also victims of this identity theft scam. A Beijing-based company, which is one of the suppliers of IBM, had allegedly applied for the credit cards, which is called Foreign Enterprise Joint Name Card. Though the BOC outlet stated that it did not issue the credit cards since there were no signatures of the employees on the application forms, one of the employees from IBM said that his card had already been used."

According to Forbes Magazine, IBM moved its global procurement headquarters to Shenzhen, China in 2006. This was the first time the headquarters of a corporate-wide IBM division has been moved outside the USA. IBM reportedly has about 3,000 suppliers across Asia and employees in about 60 countries.

You'd think that by now IBM, a company that is frequently hired by other companies as a consultant about data breaches and computer security, would have this breach and supplier security situation figured out -- that it just wouldn't happen to IBM.

Just like in 2007, IBM is tight-lipped when it comes to details. IBM says it is investigating the latest breach and won't release the name of the supplier. In 2007, IBM never disclosed the name of its supplier, nor the results of its breach investigation. In 2007, IBM offered its breach victims 12 months of free credit monitoring with Kroll.

This week, IBM's X-Force released its 2009 Mid-Year Trend and Risk Report about the threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Several news media sources, including Internet News, ran the following quote about the report:

" 'The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,' said IBM X-Force Director Kris Lamb."

IBM should have added its supplier data breaches to the list of threats. Trust nobody indeed. Don't trust IBM either.


Reengineering U.S. Government, Lou Gerstner, and John Madden

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

Shortly after the Super Bowl, I was speaking with a life-long friend, Mike Siani, NFL scout, coach and former Oakland Raiders wide receiver. I said, “You know Mike, I always loved when John Madden was your coach and on first downs he would use three wide receivers (Fred Biletnikoff, Siani, and Cliff Branch) and send you all down field for a big gain pass play from QB Ken Stabler.“ (In Mike’s 9-year playing career alone, he averaged some 17 yards after each catch). “Today, most teams are so predictable. They run on the first two downs and then they try the pass on the third down.”

I can still hear it in Madden’s voice today when he says, I’d pass on first down, you’ve got be more aggressive right out of the box. Go for it!

Another person who liked “going for it” in business was Lou Gerstner, the former CEO of IBM. There are at least two things Lou is known for. The first is being bold and the second being successful.

If you are holding an American Express card, chances are it’s because of the way Lou Gerstner changed their card business between 1978 and 1989. If you enjoyed a Nabisco cracker during the Super Bowl, chances are you can thank Lou Gerstner and the fact the IBM is still one of the most successful American companies is definitely because of Mr. G.

His efforts at IBM are well known to me, in part because my business partner, Hunter Grant and I were hired as an outside consultant to review and second-guess their Internet strategy in the mid-1990’s. During that time, we looked at quite a number of projects and found them wanting, not because they didn’t have great people, but because they weren’t current with the rapid changes occurring in the information technology marketplace at the time. In addition, the organization had become so large, that it was getting in its own way in creating new products. Gerstner changed that, but only after instilling in the company a belief that change and a willingness to accept ongoing examination and criticism were good things that could help drive new growth.

It was no surprise to me then when I received my September 18, 2008 edition of BusinessWeek and found that Lou Gerstner had written a great column entitled. “It’s Time To Reengineer U.S. Government”. In this now five-month old article, Gerstner said:

Amid the ongoing turmoil, it seems obvious we must reinvent our government and create an efficient system that can anticipate and avoid major crises. Despite many opportunities, however, this is not a lesson we have taken to heart. Whether the task is fixing health care, upgrading K-12 education, bolstering national security, or a host of other missions, the U.S. is better at patching problems than fixing them. Part of the reason is that we have two parties lacking comity and a sense of shared national responsibility. But beyond the partisan divide, I would argue that the processes of government are broken, preventing us from taking responsible actions.”

In the article, he invited readers to visit USA.gov and there he said:

“You'll find thousands of directorates, agencies, boards, offices, and services replete with overlapping responsibilities, ancient priorities, and divided accountability.”

He continued:

“We do not need Departments of Commerce, Labor, and Education; we need a single Department of Skills that will promote an integrated approach to global competitiveness. Our military should be trained and structured around missions, not the elements of air, water, and land. That requires fundamental change, but instead, the Defense Dept. has established an overlay of "commands" to compensate for organizational deficiencies. Does it make sense, in 2008, even to have a Bureau of Alcohol, Tobacco, Firearms & Explosives? If so, why is it part of the Treasury Dept.?”

when it gets to the financial sector, Mr. Gerstner stated:

“... the regulatory processes in place are ad hoc and depend on leaders undertaking risky initiatives. Now more than ever, we need a single federal organization to oversee all of our financial institutions.”

In addition to calling for bipartisan action and business cooperation, he suggests the creation of a commission similar to the one established by President Reagan in 1982 that became known as the Grace Commission (named after its chairman and my former boss, the late J. Peter Grace, Jr.) It was this commission that uncovered great government waste. In its final report, the Commission concluded that nearly one-third of all taxes collected by the federal government were squandered through inefficiency. Although, as Mr. Gerstner stated in his article, 2,478 recommendations were made, few were ever tried.

I agree with Lou Gerstner. A government reengineering team should be created, reporting directly to the President. It should be vigorous in its effort to create change not for change sake but because we know that government no longer works. It is a broken system. We are much better off defining new requirements and creating a new government structure, that we can migrate to, one that is lean, flexible and powerful enough to efficiently meet the needs of tomorrow’s citizens.

Come on, don’t be afraid, you’ve got to be more aggressive out of the box. Go for it!

© 2009 WBSeebeck


Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?


One Year Anniversary of IBM Data Breach

First, I'd like to welcome the many new I've Been Mugged readers. Daily readership has grown five-fold since I started this blog. Hopefully, you have learned plenty about tips and advice to protect your identity and personal data. I've Been Mugged readers have learned how companies archive the personal data of employees, former employees, and customers; and how some companies fail to implement strong, state-of-the-art data security processes.

I started this blog in July 2007 after a former employer, IBM, exposed my personal information during a data breach. The IBM data breach occurred exactly one year ago today. The beginning posts in this blog present my conversations with IBM and the free credit monitoring service IBM arranged for it's ID-theft victims.

So far, I haven't experienced any more identity-theft problems as a result of this data breach. But, my sensitive personal data is still out there on IBM's "lost" or stolen data tapes for identity thieves to sell and abuse. I realize that the risk to me has not decreased because my data is still out there. At some future point, the thieves will crack the data encryption on those data tapes and then the "fun will begin."

Is it fair that IBM's free credit monitoring offer ends in June while the risk IBM created with its careless data handling continues indefinitely? Nope. But this is the way many companies deal with identity theft... shift the burden and risk to consumers. Companies would like consumers to believe that the risk ends before the free credit monitoring period ends.


No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.


In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.


In The Blogosphere: IT Project Failures and The Hartford's Data Breach

Whether or not you work in the Information Technology (IT) profession, IT Project Failures is a well-written blog. Michael Krigsman chronicles the missteps, mishaps, fumbles, and failures by IT departments in corporations and in government agencies. Michael is a good friend and I hope that more IT professionals read his blog and learn from the examples.

In a recent post, Michael wrote about a data breach at The Hartford insurance company. Data breaches are just one of the many types of IT department fumbles and mishaps.

The Hartford's data breach reminded me a lot of IBM's data breach earlier this year, when IBM lost my personal data. After reading the news reports in PC World and Cleveland.com (Note: State of Ohio Insurance Director Mary Jo Hudson is asking good questions), both companies' data breaches have some similarities:

  1. Both companies lost backup data tapes
  2. Both companies claim the data tapes were "lost" and that there's no evidence that the lost data has been misused
  3. Both companies took more than a month to notify identity theft victims
  4. The data tapes included sensitive personal data like SS#'s and driver's license numbers, and
  5. Both companies offered the identity-theft victims one year of free credit monitoring

There are a couple differences. First, The Hartford was open and honest about the number of records exposed/stolen. To this day, IBM has never disclosed the number of records lost/stolen. It's difficult to trust a company that is not open and honest.

Second, The Hartford's data breach included lost/stolen customer information, while IBM's data breach included lost/stolen employee and former-employee information.

Now, back to the similarities...

It really seems dishonest when companies claim immediately after a data breach that there's no evidence of the data being stolen. First, the fact that they can't find the data tapes would be evidence enough. Second, identity criminals aren't going to announce that they've stolen or copied the tapes. Third, it'll be the identity-theft victims that discover the evidence, when identity thieves try to access their financial accounts or commit fraud in the ID-victims' names.

When companies make this claim of no evidence, they really need to be specific. Was their search for evidence only within the company? Did they approach law enforcement? Is their claim of 'no evidence' based on law enforcement's investigation?

Both companies seem to believe that one year of free credit monitoring is enough. It isn't. Identity theft victims have to monitor their financial and credit reports for a far longer time period than one year... like the rest of their lives. Both companies' data breach created this risk for the identity theft victims. So, the period of free credit monitoring should match the risk period.


How Large was IBM's Data Breach?

So far, IBM has not disclosed how many data records were "lost" in IBM's data breach. According to a post by NOLA Native on the My Left Wing blog:

"Here's what [IBM] didn't or would' say: How many ex-employees were affected. That they only initially contacted people who lived in states where laws required notification. The state of NC is reporting 53,000+ citizen's data was on the tapes. I live in FL and I have not as yet been able to find out how many residents here were affected."

Thats the first time I've seen number: 53,000 records in a single state. And North Carolina is not the largest state population-wise, like Texas, California, or New York.

I'm in a playful mood, so let's have some fun with math. Assume:

  1. IBM's employment is concentrated in about 10 states (20% of the US), and
  2. The number of "lost" records in each of those states was no greater than the number of lost records in North Carolina. (I'm being nice, too.)

This means:

10 states X 53,000 lost records per state = 530,000 total lost records

Half a million "lost" records. Wow! If I were IBM and I'd "lost" the personal data for about a half-million current and former employees, I wouldn't want to disclose it either. While that estimated number is nowhere near as huge as the 45 million records in the TJX data breach, it still isn't a small amount.

According to IBM's web site, it employed about 355,000 people worldwide in 2006. About 150,000 work in the USA. We know from news reports that the "lost" data tapes included records of both former and current employees, but mostly former employees. We also know from news reports that the data tapes were backup tapes, so I'm willing to give IBM the benefit of the doubt that they didn't "lose" the personal data for all of their current employees, just some of their current employees and a lot of former employees' records.

This seems plausible since we know from my conversation with IBM that IBM doesn't discard any former employee records. And, IBM's workforce has fluctuated with a high of about 405,000 in 1985. Use an annual workforce attrition rate between 4% and 8%, factor that for 30 to 35 historical years, and the pool of prior employee records is large enough to easily fund half a million lost records.

I know there are a lot of assumptions here, but my point is this: the number is big. Nobody wants to admit to a big number. If it was a small number, like a couple hundred or a thousand records, then I'd bet that IBM would have disclosed the number of lost records.

What do you think? How many records do you think IBM lost? Have you seen any estimates of the number of records "lost" in IBM's data breach?


Skepticism About IBM's Data Breach Notice

After reading several blog posts about IBM's data breach, I have been surprised by the number of former employees who consider IBM's data breach letter a scam. From the Being Peter Kim blog:

"Has anyone been able to verify the authenticity of this whole thing? It has warning signs: 1) No Dates, 2) No street addresses, 3) "Kroll Fraud Solutions" is not listed with BBB, 4) Kroll.com does not list an ‘office’ in Des Moines, IA, 5) IBM’s websites to not have any information about any of this, 6) Major US news sites (CNN, NBC, ABC) do not have info on this. It all seems very suspicious!" [Posted by Jennifer on 30 June 2007]

From the Brain Lint blog:

"We received one of these too. Thinking it would be a clever scam and wondering if we should respond or ignore or pursue and turn them in… Or is this legit? No way to tell short of calling IBM. Number for Kroll is in the mail and will call but still…" [Posted by Lynn on 9 June 2007]

"I got the same letter, at first I thought it was a scam by the company offering the Identity Theft protection. I worked in Clearwater, FL for IBM back in 2000-2001 for Global Services. Was this a regional or divisional problem for IBM? I am contacting friends to see how many people were involved. It is ironic this happened RIGHT after the notices for suing over lost overtime went out to IBM employees?" [Posted by Former Blue on 12 June 2007]

"I just went through a pile of mail and found the same letter. Ironically, I never worked for IBM, although I did work for Lotus but left just before IBM acquired them in 1995. Like Lynn, I’ll be checking this thing every which way to make sure it’s not scam." [Posted by Jack on 18 June 2007]

Some skepticism is understandable given all of the phishing scams e-mail users endure. But I haven't received any phishing letters via postal mail. I hope that isn't an emerging trend.

While some skepticism is healthy and understandable, there are plenty of authoritative news sources and blogs to verify IBM's data breach, an IBM web site dedicated to the data breach, and IBM's breach letter posted at the New Hampshire Department of Justice web site.

The fact that some consumers are skeptical, raises some interesting issues:

  • What responsibility do companies have to notify ID-theft victims (customers, employees, and former employees) via multiple communications channels? The above skepticism could be an indicator that an e-mail-only or postal-mail-only data breach notice is not enough.
  • What responsibility do state governments have to facilitate data breach notifications? The example that comes to mind immediately is how the state of New Hampshire's Department of Justice posts data breach notifications on its web site.
  • What responsibility do consumers have to verify via an alternate channel any data breach notifications received?
  • Are the current data breach methods sufficient? Like anything else in life, standards change or evolve. So too should data breach notification methods.

Identity Theft Humor

Reactions to IBM's data breach notification seem to vary. This June 26, 2007 post by Shelby was too entertaining not to mention:

"Staying on the sunny side of life, IBM informed me that the information had not surfaced anywhere and that it was in such a format that it required specialized equipment to access it. They also assured me that according to their extensive investigation, the information had simply been lost, not stolen. And also, they were really, really sorry about it. In exchange for being dumbasses, they have offered me a free year's membership in a credit monitoring service, which I accepted. The service looks pretty cool, and I bet [Kroll] threw a huge party when they got the IBM deal. I didn't have to provide any kind of payment information and the service would not be automatically renewed after IBM stopped paying, but of course I'm welcome to continue their service should I choose after my free period expires. Thanks IBM!"

I know how Shelby feels. IBM's carelessness has inconvenienced us both in time and money. Plus, the risk window (during which an identity thief could sell, resell, and/or abuse our personal data) extends far beyond IBM's one year of free credit monitoring offer. Thanks IBM!

Next entry: Opt-out Resources for Consumers (Part 2)