25 posts categorized "IBM" Feed

Apple News: Electronic Book Price Fixing Settlement; IBM Partnership; EU Concerns About In-App Purchases By Children

Last week, the Office of the Massachusetts Attorney General (AG) announced a settlement with Apple Inc. regarding electronic book (a/k/a e-book) price fixing allegations. AGs from 33 states had filed lawsuits against the company:

"Contingent upon the resolution of Apple’s appeal of a U.S. District Court verdict from 2013, consumers nationwide will receive a total of $400 million, with Massachusetts consumers estimated to receive more than $12 million in refunds.The agreement also remains subject to approval by the U.S. District Court for the Southern District of New York."

Additional details about the Apple settlement:

"The exact amount of consumer relief is contingent upon the affirmation of a U.S. District Court’s July 2013 verdict that Apple violated federal and state antitrust laws by orchestrating a conspiracy with five publishers – Penguin Group (USA), Inc. (now part of Penguin Random House); Holtzbrinck Publishers LLC d/b/a Macmillan; Hachette Book Group Inc.; HarperCollins Publishers LLC; and Simon & Schuster Inc. – to artificially raise prices for E-books between 2010 and 2012 in order to eliminate retail price competition."

Information about the publishers' settlement:

"E-book purchasers nationwide are already entitled to refunds totaling $166 million in settlement funds paid by the five publishers involved in the conspiracy. Massachusetts consumers are due more than $5 million from these funds in compensation pursuant to these settlements."

Martha Coakley, the Massachusetts AG, said in a statement:

“Price collusion amongst competitors is unacceptable and this agreement will ensure that those responsible are held accountable... We are hopeful that this settlement will go through so that affected consumers can receive significant refunds as a result of these violations.”

New York State AG Eric T. Schneiderman said in a statement:

"... the biggest, most powerful companies in the world must play by the same rules as everyone else... We will continue to work with our colleagues in other states to ensure that all companies compete fairly with the knowledge that no one is above the law.”

Good. I applaud the AGs with this enforcement action. In related news, Apple announced a partnership with IBM Inc. to:

"... redefine the way work will get done, address key industry mobility challenges and spark true mobile-led business change—grounded in four core capabilities:

1. a new class of more than 100 industry-specific enterprise solutions including native apps, developed exclusively from the ground up, for iPhone and iPad;
2. unique IBM cloud services optimized for iOS, including device management, security, analytics and mobile integration;
3. new AppleCare® service and support offering tailored to the needs of the enterprise; and
4. new packaged offerings from IBM for device activation, supply and management."

Meanwhile, many parents in Europe are concerned about how app-based games are marketed. Engadget reported last week:

"... while Google addressed its concerns around games with in-app purchasing, Apple has yet to offer a strategy. Following hordes of complaints by outraged parents, the EU asked both companies to implement changes to the way they sell such apps in their stores. Those include not misleading consumers about supposedly "free" games, not "directly exhorting" children to buy in-game items, thoroughly informing customers about payment arrangements and forcing game-makers to provide contact information."

The request by the European Commission and the Consumer Protection Cooperation (CPC) Network included:

"1. Games advertised as "free" should not mislead consumers about the true costs involved;
2. Games should not contain direct exhortation to children to buy items in a game or to persuade an adult to buy items for them;
3. Consumers should be adequately informed about the payment arrangements for purchases and should not be debited through default settings without consumers’ explicit consent;
4. Traders should provide an email address so that consumers can contact them in case of queries or complaints."

The Engadget news article also included this statement by Apple:

"... over the last year we made sure any app which enables customers to make in-app purchases is clearly marked. We've also created a Kids Section on the App Store with even stronger protections to cover apps designed for children younger than 13. These controls go far beyond the features of others in the industry. But we are always working to strengthen the protections we have in place, and we're adding great new features with iOS 8, such as Ask to Buy, giving parents even more control over what their kids can buy on the App Store..."

This statement was after a $32.5 million settlement in March 2014 with the U.S. Federal Trade Commission (FTC):

"... a final order resolving FTC allegations that Apple Inc. unfairly charged consumers for in-app purchases incurred by children without their parents’ consent... by March 31, 2014, Apple must change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for in-app purchases. Apple also must provide full refunds, totaling a minimum of $32.5 million, to consumers who were billed for in-app purchases that were incurred by children... Should Apple issue less than $32.5 million in refunds to consumers within the 12 months after the settlement becomes final, the company must remit the balance to the Commission. By April 15, 2014, Apple must notify all consumers charged for in-app purchases with instructions on how to obtain a refund for unauthorized purchases by kids."

In-app purchases can be expensive. Experts advise parents to closely monitor their children's game activity.


IBM To Move 110,000 Retirees From Its Sponsored Health Care Plan To Private Exchanges. Other Companies Plot Similar Moves

IBM, Inc. logo Earlier this week, IBM announced that it will move about 110,000 Medicare-eligible retirees from its current company-sponsored health plan to private health care insurance exchanges. Retirees will receive payments towards the cost of health care through exchanges.

While IBM denied that costs were the reason for the move, the news report stated that experts have estimated Medicare costs to triple by 2020. So, while the move may not save IBM any money today, it seems the company's decision is clearly cost-related -- to save itself money in the future.

Reportedly, the new plan for IBM retirees will start January 1, 2014. According to the Chicago tribune:

"IBM also said it was hosting meetings with groups of retirees across the country to inform them about the move to the country's largest private Medicare Exchange. While some retirees may be skeptical, studies showed that the majority of people have a more positive outlook once they were presented with the concept and understood the options available to them through these exchanges..."

Health care exchanges were created under the 2010 Affordable Health Care Act. At many health care exchanges, open enrollment will begin on October 1, 2013. A health care exchange is:

"... a regulated marketplace where consumers can more easily compare insurance plans through the Internet, on the phone, or through an official helper, called a “navigator.” Consumers can also find out if they qualify for Medicaid -- the jointly run federal/state health care program for the poor -- or for a federal subsidies to help pay for the insurance... They are for small businesses and people who don’t have access to affordable insurance through an employer or are not already enrolled in a government program, such as Medicare."

Experts have projected that the shift to private health care exchanges will affect both retirees and current employees. (I'll bet you didn't know that.) The projections include 1 million workers enrolled in private health care exchanges in 2013, increasing to perhaps 40 million workers in 2018.

United Parcel Service logo Other companies have announced similar health care plan changes for their retirees, including General Electric and Time Warner. Last month, the United Parcel Service announced that it will stop health care coverage for employees' spouses, who can get coverage through another employer's plan:

"By denying coverage to spouses, employers not only save the annual premiums, but also the new fees that went into effect as part of the Affordable Care Act. This year, companies have to pay $1 or $2 “per life” covered on their plans, a sum that jumps to $65 in 2014. And health law guidelines proposed recently mandate coverage of employees’ dependent children (up to age 26), but husbands and wives are optional... next year, 12% of employers plan to exclude spouses, up from 4% this year, according to a recent Towers Watson survey."

Local leaders in some states, such as North Carolina, are hosting forums to explain to residents what health care exchanges are and how they operate. The insurance commissioner in Maryland has already published rates available in the state's new health care exchange; with some rates are as low as $122 per month.

What is your opinion of private health care exchanges? What is your opinion of employers that no longer cover their employees' spouses?


Security Report Describes Multiple Threats Targeting Apple And Android Mobile Devices

Your Apple brand mobile device may not be as secure as you think it is. Trend Micro released a report last week about mobile device security. Key findings from the report:

  • During the first three months of 2012, Apple led all major technology vendors with 91 reported vulnerabilities (http://cve.mitre.org/); followed by Oracle (78), Google (73), Microsoft (43), IBM (42), Cisco (36), Mozilla (30), MySQL (28), Adobe (27), and  Apache (24).
  • During the same period, Android-based smartphone suffered from the most cyber criminal attacks. Trend Micro identified about 5,000 new malicious apps that target Android devices

The report described a variety of scams and threats targeting mobile device users worldwide. The “one-click billing fraud” scam is particularly nasty. In this scam, thieves target video sharing websites. When a person clicks on a link to view a video, the link redirects to a website that downloads a software virus to their device. The virus locks up the person’s device and demands payment to unlock the device. This scam now targets Android-based smartphones.

Some scams used email hoaxes about new products to spread malware:

Free “iPad 3” giveaway promos stirred up interest in the product even before its launch and infected systems with malware. Twitter spam touting free McDonald’s gift cards redirected users to adult dating sites..."

Some scams used new social networking sites to spread computer viruses:

“New social networking site, Pinterest, gained not just popularity but also notoriety. Site users were drawn into “re-pinning” a Starbucks logo to get supposed gift cards but instead got Malware.”

The report describes another type of scams, often referred to as “ransomeware” which:

“Refers to a class of malware that holds systems and/or files “hostage” unless victims pay up...”

Ransomeware may also encrypt files on the hard drives of victims’ infected devices, and demand payment to release the encrypted files. Trend Micro reported that this scam previously operated in Russia, but has now spread to several countries in Europe. A variation of this scam includes the use of police department logos on a landing page which demands that victims with infected computers pay a bogus fine for accessing Internet port and materials with violent content.

Before installing apps on your smartphone, the report’s authors advice consumers to:

  1. Be ready to give out some personal information.
  2. Know that a third-party will gain access to your personal information.
  3. Know the app developer’s reputation

Download the “Security In the Age of Mobility” report (Adobe PDF, 2.1 MBytes).


A Second Data Breach at Health Net Affects 1.9 Million Consumers

On Monday of this week, Health Net announced a data breach and the company's ongoing investigation into lost/stolen server drives from its data center in Rancho Cordova, Calif. According to the press release:

"This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives. After a forensic analysis, Health Net has determined that personal information of some former and current Health Net members, employees and health care providers is on the drives, and may include names, addresses, health information, Social Security numbers and/or financial information."

This is interesting for several reasons. First, the Health Net press release didn't disclose either the number of lost/stolen server drives, nor the number of consumers' records lost/stolen. That's usually a bad sign that the breach is a huge one. The California Department of Managed Health Care (DMHC) issued a statement (43k bytes; PDF document) that the Health Net breach included 1.9 million current and prior Health Net customers nationwide, including:

"... more than 622,000 enrollees in Health Net products regulated by the DMHC, more than 223,000 enrolled in California Department of Insurance products, and a number enrolled in Medicare."

The DMHC is rightly concerned and conducting its own investigation. The DMHC statement also said that nine (9) Health Net server drives were missing.

Second, the above Health Net press release mentioned the name of an IT outsource vendor I recognized, IBM. I have had some direct, personal experience with an IBM breach. And IBM's involvement in the Health Net breach has a twist of irony.

After its 2007 data breach, IBM never disclosed what actions it took, if any, with the outsource vendor it hired to ship its backup computer data tapes to an off-site facility. Did IBM fire its vendor, or were specific vendor's employees disciplined or terminated? We never learned what happened. Now, to use a common expression, "the shoe is on the other foot" as IBM is the vendor involved in its client's data breach.

Third, this is the second huge data breach at Health Net. In November 2009, Health Net suffered a huge data breach. That 2009 data breach included hard drives, too, where the sensitive personal data lost/stolen included the Social Security numbers, medical records and health information dating back to 2002 of 1.5 million past and current customers in several states. During the last few months, Health Net paid fines to several states to settle the 2009 breach. Several states' attorney generals alleged that the 2009 breach violated the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), and some states' local laws.

Fourth, ABC News focused its coverage on the delayed notification. Apparently, Health Net learned about the missing server drives in February, notified the California Attorney General's office on March 4, and then notified the public on March 14. The delay in notificaton was part of the rationale for the settlement fines Health Net paid as a result of its 2009 data breach.

Fifth, the Connecticut Attorney General's office has demanded that Health Net provide identity-theft and credit protectons for 25,000 Connecticut residents affected by the data breach. In its breach announcement, Health Net has hired Debix (again) to provide two years of complimentary identity-theft and credit protection for breach victims.

Sixth, the nationwide impacts of the Health Net data breach are jsut becoming known. About 40,000 consumers in Washington state have been affected. I expect more states' regulatory agencies and/or attorney generals to issue statements about the impacts in their states.

After such a huge data breach in 2009, you'd think that the executives at Health Net would "get it," implement tightened data security, and implement both new data security policies and employee training to prevent another massive data breach. Well, another massive breach happened. As a wise person once said, actions speak louder than words.

I am hoping that the consequences for Health Net executives include much more than fines. Executives need to be fired and/or jailed. What do you think? What action, if any, should Health Net take with its outsource vendor, IBM?


Texas / IBM Data Center Project Failure

A good friend, Michael Krigsman, writes an excellent blog: IT project failures. The reasons vary for project failures and some are data breaches. His blog deserves a mention here because a recent post discussed a project involving IBM Corporation, a company I have had some direct experience with. Michael wrote:

"The Texas Department of Information Resources (DIR) sent IBM a “Notice to Cure,” accusing the large system integrator of failing to perform its obligations on a data center consolidation contract worth $863 million. According to an internal report prepared by the department, this is a case of the “blind leading the blind,” with both parties at fault."

Ouch! Harsh words. Sad state of affairs for a project.


IBM Distributes Virus-Infected USB Drives at Security Conference

International Business Machines logo Long-time readers know that I named this blog to honor the company that lost my sensitive personal data during a February 2007 data breach. Since then, i try to give IBM the media attention it earns.

Last week, InformationWeek magazine reported that IBM gave attendees at the AusCERT information security conference in Australia virus-infected infected USB thumb drives. IBM followed up this snafu with an apology via e-mail. The InformationWeek article contains the text of the e-mail message.

Nobody at IBM bothered to check the USB thumb drives before distributing them to conference attendees? Wow! And this occurred at a security conference, too.

If I ever received a free USB drive from the leading computer and security company worldwide, that advises other companies how to deal with data breaches, I'll be sure to scan it with anti-virus software first.


Survey: Ponemon Lists The Top 20 Most Trusted Firms For Privacy

Ponemon Institute released last month its list of the 20 most trusted companies for privacy. The list is compiled from an annual survey of 6,627 adults in the United States. Survey participants were asked to rank their most trusted companies from a list of companies provided. Highlights from this year's survey:

"Among the brands that made the top twenty were four not listed in the previous study, including Google, Weight Watchers, Walmart, and AT&T. Of the companies listed last year, Facebook, AOL, and eLoan did not make the 2010 list. 2009 was a tumultuous year for privacy, as illustrated by Facebook’s drop out of the top twenty in a year when they found themselves at the center of a very public debate over the evolution of their privacy policies and settings."

It's good to see that there is a "cost" when a Web site or company has confusing or constantly changing privacy policies and rules. Some other highlights:

"Consumers feel they are losing control of personal information: Only 41 percent of consumers feel they have control over their personal information, down from 45 last year and an overall drop from 56 percent in 2006."

The next finding definitely caught my attention:

"Identity theft is top of mind: 59 percent of consumers said fear of identity theft was a major factor in brand trust diminishment, and 50 percent said notice of a data breach was a factor. Other significant threats to brand trust were abuse of civil liberties and annoying “background chatter” in public venues."

The Top 10 most-trusted companies for privacy (with their prior year ranking in parentheses):

1. American Express (1)
2. IBM (3)
3. Johnson & Johnson (5)
4. Hewlett Packard (6)
5. E-bay (2)
6. U.S. Postal Service (6)
7. Procter & Gamble (7)
8. Amazon.com (4)
8. Nationwide (9)
9. USAA (11)
10. WebMD (13)

Google was ranked #13. Read the press release to browse the complete list of all twenty ranked companies. I'll be a number of CEOs are wondering how the United States Postal Service outranked them. Who says that a government agency doesn't work well?

AT&T's jump up the list could be related to the telecommunications company's public statement about its behavioral targeting policy, which is more consumer-friendly than most companies. Then again, maybe the public has forgotten about AT&T's role with internal spying.

For a year-to-year comparison of the top 20 companies for privacy, see Mike Spinney's blog at the Ponemon site.


IBM Experiences Another Data Breach

IBM logo IBM's February 2007 data breach exposed the personal information of all of its employees and former employees. China Tech News reported that the sensitive personal information of 1,000 IBM Shenzhen employees was disclosed by a supplier in China:

"Some IBM employees in Dalian reportedly were also victims of this identity theft scam. A Beijing-based company, which is one of the suppliers of IBM, had allegedly applied for the credit cards, which is called Foreign Enterprise Joint Name Card. Though the BOC outlet stated that it did not issue the credit cards since there were no signatures of the employees on the application forms, one of the employees from IBM said that his card had already been used."

According to Forbes Magazine, IBM moved its global procurement headquarters to Shenzhen, China in 2006. This was the first time the headquarters of a corporate-wide IBM division has been moved outside the USA. IBM reportedly has about 3,000 suppliers across Asia and employees in about 60 countries.

You'd think that by now IBM, a company that is frequently hired by other companies as a consultant about data breaches and computer security, would have this breach and supplier security situation figured out -- that it just wouldn't happen to IBM.

Just like in 2007, IBM is tight-lipped when it comes to details. IBM says it is investigating the latest breach and won't release the name of the supplier. In 2007, IBM never disclosed the name of its supplier, nor the results of its breach investigation. In 2007, IBM offered its breach victims 12 months of free credit monitoring with Kroll.

This week, IBM's X-Force released its 2009 Mid-Year Trend and Risk Report about the threats that affect Internet security, including software vulnerabilities and public exploitation, malware, spam, phishing, web-based threats, and general cyber criminal activity. Several news media sources, including Internet News, ran the following quote about the report:

" 'The trends highlighted by the report seem to indicate that the Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,' said IBM X-Force Director Kris Lamb."

IBM should have added its supplier data breaches to the list of threats. Trust nobody indeed. Don't trust IBM either.


Reengineering U.S. Government, Lou Gerstner, and John Madden

[Editor's Note: Today's blog post is by guest author William Seebeck. I've known Bill for decades, going back to our time working together at Lexis-Nexis in Dayton, Ohio during the 1980's. Bill has a wealth of experience in online systems, banking, publishing, and public relations.]

By Bill Seebeck

Shortly after the Super Bowl, I was speaking with a life-long friend, Mike Siani, NFL scout, coach and former Oakland Raiders wide receiver. I said, “You know Mike, I always loved when John Madden was your coach and on first downs he would use three wide receivers (Fred Biletnikoff, Siani, and Cliff Branch) and send you all down field for a big gain pass play from QB Ken Stabler.“ (In Mike’s 9-year playing career alone, he averaged some 17 yards after each catch). “Today, most teams are so predictable. They run on the first two downs and then they try the pass on the third down.”

I can still hear it in Madden’s voice today when he says, I’d pass on first down, you’ve got be more aggressive right out of the box. Go for it!

Another person who liked “going for it” in business was Lou Gerstner, the former CEO of IBM. There are at least two things Lou is known for. The first is being bold and the second being successful.

If you are holding an American Express card, chances are it’s because of the way Lou Gerstner changed their card business between 1978 and 1989. If you enjoyed a Nabisco cracker during the Super Bowl, chances are you can thank Lou Gerstner and the fact the IBM is still one of the most successful American companies is definitely because of Mr. G.

His efforts at IBM are well known to me, in part because my business partner, Hunter Grant and I were hired as an outside consultant to review and second-guess their Internet strategy in the mid-1990’s. During that time, we looked at quite a number of projects and found them wanting, not because they didn’t have great people, but because they weren’t current with the rapid changes occurring in the information technology marketplace at the time. In addition, the organization had become so large, that it was getting in its own way in creating new products. Gerstner changed that, but only after instilling in the company a belief that change and a willingness to accept ongoing examination and criticism were good things that could help drive new growth.

It was no surprise to me then when I received my September 18, 2008 edition of BusinessWeek and found that Lou Gerstner had written a great column entitled. “It’s Time To Reengineer U.S. Government”. In this now five-month old article, Gerstner said:

Amid the ongoing turmoil, it seems obvious we must reinvent our government and create an efficient system that can anticipate and avoid major crises. Despite many opportunities, however, this is not a lesson we have taken to heart. Whether the task is fixing health care, upgrading K-12 education, bolstering national security, or a host of other missions, the U.S. is better at patching problems than fixing them. Part of the reason is that we have two parties lacking comity and a sense of shared national responsibility. But beyond the partisan divide, I would argue that the processes of government are broken, preventing us from taking responsible actions.”

In the article, he invited readers to visit USA.gov and there he said:

“You'll find thousands of directorates, agencies, boards, offices, and services replete with overlapping responsibilities, ancient priorities, and divided accountability.”

He continued:

“We do not need Departments of Commerce, Labor, and Education; we need a single Department of Skills that will promote an integrated approach to global competitiveness. Our military should be trained and structured around missions, not the elements of air, water, and land. That requires fundamental change, but instead, the Defense Dept. has established an overlay of "commands" to compensate for organizational deficiencies. Does it make sense, in 2008, even to have a Bureau of Alcohol, Tobacco, Firearms & Explosives? If so, why is it part of the Treasury Dept.?”

when it gets to the financial sector, Mr. Gerstner stated:

“... the regulatory processes in place are ad hoc and depend on leaders undertaking risky initiatives. Now more than ever, we need a single federal organization to oversee all of our financial institutions.”

In addition to calling for bipartisan action and business cooperation, he suggests the creation of a commission similar to the one established by President Reagan in 1982 that became known as the Grace Commission (named after its chairman and my former boss, the late J. Peter Grace, Jr.) It was this commission that uncovered great government waste. In its final report, the Commission concluded that nearly one-third of all taxes collected by the federal government were squandered through inefficiency. Although, as Mr. Gerstner stated in his article, 2,478 recommendations were made, few were ever tried.

I agree with Lou Gerstner. A government reengineering team should be created, reporting directly to the President. It should be vigorous in its effort to create change not for change sake but because we know that government no longer works. It is a broken system. We are much better off defining new requirements and creating a new government structure, that we can migrate to, one that is lean, flexible and powerful enough to efficiently meet the needs of tomorrow’s citizens.

Come on, don’t be afraid, you’ve got to be more aggressive out of the box. Go for it!

© 2009 WBSeebeck


Is A Total Surveillance Society Inevitable?

Recently, ZD Net Australia reported about the Legal Futures Conference at Stanford University in California. Several technologists and legal experts attended the conference. Many legal experts have again raised concerns that Web 2.0 has come at the expense of individual privacy. The article quoted an IBM technologist at the conference who said:

" 'A total surveillance is not only inevitable and irreversible, but also irresistible,' Jeff Jonas, distinguished engineer and chief scientist at IBM Entity Analytics, said during a panel on surveillance at the conference on Saturday. For example, imagine how convenient it would be to have RFID chips embedded in sunglasses so you could find them easily, Jonas said."

Is he serious? Inevitable? Irresistible? Just so I can find my sunglasses? Consider this:

"Jennifer Granick, civil liberties director at the Electronic Frontier Foundation, acknowledged that she finds the location-based technology in her iPhone very convenient when she's trying to avoid traffic congestion but she doesn't want the government to be able to use that technology to track her down. The fact that all sorts of data about each of us is being gathered and is archived, searchable, and can be compiled to create profiles about each of us is what makes digital privacy intrusions so much scarier than pre-Internet life, she said."

Jeffrey Rosen, a law professor at George Washington University and legal affairs editor of The New Republic, warned of:

"... "privacy chernobyls," which he described as "new threats to privacy that have the potential to transform society in troubling ways". Examples include Facebook revealing more about its members than they care to have revealed and tracking their purchases without consent, as well as AOL inadvertently exposing search terms of 650,000 people in 2006."

Are attitudes in the USA unique?

"The perspective is different in other countries, Rosen said. Americans are, in general, concerned with preventing terrorism, while Europeans are concerned with protecting their individual privacy, he said. For example, the French will bare their breasts but not their salaries and mortgages, and the reverse is true in the US. "My fear is that the cultural differences will make thoughtful regulation difficult," Rosen said."

Probably the most important conclusion:

"Government regulation is necessary to ensure that consumers' privacy is adequately protected online, Granick and Rosen said. Orin Kerr, a professor at George Washington University Law School, said the Fourth Amendment can be applied to the online world in a way that balances individual rights with law enforcement  needs."

I find a total surveillance society easily resistible. Nor is it inevitable. We have a choice. What do you think?


One Year Anniversary of IBM Data Breach

First, I'd like to welcome the many new I've Been Mugged readers. Daily readership has grown five-fold since I started this blog. Hopefully, you have learned plenty about tips and advice to protect your identity and personal data. I've Been Mugged readers have learned how companies archive the personal data of employees, former employees, and customers; and how some companies fail to implement strong, state-of-the-art data security processes.

I started this blog in July 2007 after a former employer, IBM, exposed my personal information during a data breach. The IBM data breach occurred exactly one year ago today. The beginning posts in this blog present my conversations with IBM and the free credit monitoring service IBM arranged for it's ID-theft victims.

So far, I haven't experienced any more identity-theft problems as a result of this data breach. But, my sensitive personal data is still out there on IBM's "lost" or stolen data tapes for identity thieves to sell and abuse. I realize that the risk to me has not decreased because my data is still out there. At some future point, the thieves will crack the data encryption on those data tapes and then the "fun will begin."

Is it fair that IBM's free credit monitoring offer ends in June while the risk IBM created with its careless data handling continues indefinitely? Nope. But this is the way many companies deal with identity theft... shift the burden and risk to consumers. Companies would like consumers to believe that the risk ends before the free credit monitoring period ends.


No Updates From IBM At Its Web Site About Its February 2007 Data Breach

Every few weeks, I check IBM's employee web site for any updates about the company's February 2007 data breach. So far, IBM has not updated the site page. It contains the same content it did when I first visited the site in May 2007 -- eight months ago.

I had hoped that the site would have included updates about the status of the breach and data tape investigation. Maybe IBM will have recovered some or all of the "lost" data tapes by now? Or maybe the investigation might have uncovered some corrupt employees or vendor employees? I had hoped that IBM would have communicated more frequently with the identity-theft victims its breach created.

I am still hoping that during the next few months IBM will update the site with information about extending the credit monitoring service with Kroll after the year of free credit monitoring ends. Who knows, maybe the term of free credit monitoring will be extended.

It's hard to know what's going on with IBM since the page displays the same stale information it did in May 2007. Various news reports have reported that IBM cut the base pay of many employees by 15% after settling various class-action lawsuits which claimed that the company denied the workers overtime pay by illegally classifying them as exempt instead of hourly. Apparently, the pay cuts extend beyond the original group of employees identified in the class-action lawsuits.

Sounds like an attempt by IBM to play hard-ball.


In The News: Kroll, IBM, and I've Been Mugged

I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.


In The Blogosphere: IT Project Failures and The Hartford's Data Breach

Whether or not you work in the Information Technology (IT) profession, IT Project Failures is a well-written blog. Michael Krigsman chronicles the missteps, mishaps, fumbles, and failures by IT departments in corporations and in government agencies. Michael is a good friend and I hope that more IT professionals read his blog and learn from the examples.

In a recent post, Michael wrote about a data breach at The Hartford insurance company. Data breaches are just one of the many types of IT department fumbles and mishaps.

The Hartford's data breach reminded me a lot of IBM's data breach earlier this year, when IBM lost my personal data. After reading the news reports in PC World and Cleveland.com (Note: State of Ohio Insurance Director Mary Jo Hudson is asking good questions), both companies' data breaches have some similarities:

  1. Both companies lost backup data tapes
  2. Both companies claim the data tapes were "lost" and that there's no evidence that the lost data has been misused
  3. Both companies took more than a month to notify identity theft victims
  4. The data tapes included sensitive personal data like SS#'s and driver's license numbers, and
  5. Both companies offered the identity-theft victims one year of free credit monitoring

There are a couple differences. First, The Hartford was open and honest about the number of records exposed/stolen. To this day, IBM has never disclosed the number of records lost/stolen. It's difficult to trust a company that is not open and honest.

Second, The Hartford's data breach included lost/stolen customer information, while IBM's data breach included lost/stolen employee and former-employee information.

Now, back to the similarities...

It really seems dishonest when companies claim immediately after a data breach that there's no evidence of the data being stolen. First, the fact that they can't find the data tapes would be evidence enough. Second, identity criminals aren't going to announce that they've stolen or copied the tapes. Third, it'll be the identity-theft victims that discover the evidence, when identity thieves try to access their financial accounts or commit fraud in the ID-victims' names.

When companies make this claim of no evidence, they really need to be specific. Was their search for evidence only within the company? Did they approach law enforcement? Is their claim of 'no evidence' based on law enforcement's investigation?

Both companies seem to believe that one year of free credit monitoring is enough. It isn't. Identity theft victims have to monitor their financial and credit reports for a far longer time period than one year... like the rest of their lives. Both companies' data breach created this risk for the identity theft victims. So, the period of free credit monitoring should match the risk period.


How Large was IBM's Data Breach?

So far, IBM has not disclosed how many data records were "lost" in IBM's data breach. According to a post by NOLA Native on the My Left Wing blog:

"Here's what [IBM] didn't or would' say: How many ex-employees were affected. That they only initially contacted people who lived in states where laws required notification. The state of NC is reporting 53,000+ citizen's data was on the tapes. I live in FL and I have not as yet been able to find out how many residents here were affected."

Thats the first time I've seen number: 53,000 records in a single state. And North Carolina is not the largest state population-wise, like Texas, California, or New York.

I'm in a playful mood, so let's have some fun with math. Assume:

  1. IBM's employment is concentrated in about 10 states (20% of the US), and
  2. The number of "lost" records in each of those states was no greater than the number of lost records in North Carolina. (I'm being nice, too.)

This means:

10 states X 53,000 lost records per state = 530,000 total lost records

Half a million "lost" records. Wow! If I were IBM and I'd "lost" the personal data for about a half-million current and former employees, I wouldn't want to disclose it either. While that estimated number is nowhere near as huge as the 45 million records in the TJX data breach, it still isn't a small amount.

According to IBM's web site, it employed about 355,000 people worldwide in 2006. About 150,000 work in the USA. We know from news reports that the "lost" data tapes included records of both former and current employees, but mostly former employees. We also know from news reports that the data tapes were backup tapes, so I'm willing to give IBM the benefit of the doubt that they didn't "lose" the personal data for all of their current employees, just some of their current employees and a lot of former employees' records.

This seems plausible since we know from my conversation with IBM that IBM doesn't discard any former employee records. And, IBM's workforce has fluctuated with a high of about 405,000 in 1985. Use an annual workforce attrition rate between 4% and 8%, factor that for 30 to 35 historical years, and the pool of prior employee records is large enough to easily fund half a million lost records.

I know there are a lot of assumptions here, but my point is this: the number is big. Nobody wants to admit to a big number. If it was a small number, like a couple hundred or a thousand records, then I'd bet that IBM would have disclosed the number of lost records.

What do you think? How many records do you think IBM lost? Have you seen any estimates of the number of records "lost" in IBM's data breach?


Skepticism About IBM's Data Breach Notice

After reading several blog posts about IBM's data breach, I have been surprised by the number of former employees who consider IBM's data breach letter a scam. From the Being Peter Kim blog:

"Has anyone been able to verify the authenticity of this whole thing? It has warning signs: 1) No Dates, 2) No street addresses, 3) "Kroll Fraud Solutions" is not listed with BBB, 4) Kroll.com does not list an ‘office’ in Des Moines, IA, 5) IBM’s websites to not have any information about any of this, 6) Major US news sites (CNN, NBC, ABC) do not have info on this. It all seems very suspicious!" [Posted by Jennifer on 30 June 2007]

From the Brain Lint blog:

"We received one of these too. Thinking it would be a clever scam and wondering if we should respond or ignore or pursue and turn them in… Or is this legit? No way to tell short of calling IBM. Number for Kroll is in the mail and will call but still…" [Posted by Lynn on 9 June 2007]

"I got the same letter, at first I thought it was a scam by the company offering the Identity Theft protection. I worked in Clearwater, FL for IBM back in 2000-2001 for Global Services. Was this a regional or divisional problem for IBM? I am contacting friends to see how many people were involved. It is ironic this happened RIGHT after the notices for suing over lost overtime went out to IBM employees?" [Posted by Former Blue on 12 June 2007]

"I just went through a pile of mail and found the same letter. Ironically, I never worked for IBM, although I did work for Lotus but left just before IBM acquired them in 1995. Like Lynn, I’ll be checking this thing every which way to make sure it’s not scam." [Posted by Jack on 18 June 2007]

Some skepticism is understandable given all of the phishing scams e-mail users endure. But I haven't received any phishing letters via postal mail. I hope that isn't an emerging trend.

While some skepticism is healthy and understandable, there are plenty of authoritative news sources and blogs to verify IBM's data breach, an IBM web site dedicated to the data breach, and IBM's breach letter posted at the New Hampshire Department of Justice web site.

The fact that some consumers are skeptical, raises some interesting issues:

  • What responsibility do companies have to notify ID-theft victims (customers, employees, and former employees) via multiple communications channels? The above skepticism could be an indicator that an e-mail-only or postal-mail-only data breach notice is not enough.
  • What responsibility do state governments have to facilitate data breach notifications? The example that comes to mind immediately is how the state of New Hampshire's Department of Justice posts data breach notifications on its web site.
  • What responsibility do consumers have to verify via an alternate channel any data breach notifications received?
  • Are the current data breach methods sufficient? Like anything else in life, standards change or evolve. So too should data breach notification methods.

Identity Theft Humor

Reactions to IBM's data breach notification seem to vary. This June 26, 2007 post by Shelby was too entertaining not to mention:

"Staying on the sunny side of life, IBM informed me that the information had not surfaced anywhere and that it was in such a format that it required specialized equipment to access it. They also assured me that according to their extensive investigation, the information had simply been lost, not stolen. And also, they were really, really sorry about it. In exchange for being dumbasses, they have offered me a free year's membership in a credit monitoring service, which I accepted. The service looks pretty cool, and I bet [Kroll] threw a huge party when they got the IBM deal. I didn't have to provide any kind of payment information and the service would not be automatically renewed after IBM stopped paying, but of course I'm welcome to continue their service should I choose after my free period expires. Thanks IBM!"

I know how Shelby feels. IBM's carelessness has inconvenienced us both in time and money. Plus, the risk window (during which an identity thief could sell, resell, and/or abuse our personal data) extends far beyond IBM's one year of free credit monitoring offer. Thanks IBM!

Next entry: Opt-out Resources for Consumers (Part 2)


Kroll's Offering From IBM Deserves Scrutiny

In a prior blog entry, I discussed IBM's data breach which affected an undisclosed number of current and former IBM employees. IBM offered its ID-theft victims one year of free credit monitoring with Kroll. This offer seemed attractive since prices range from "$50 to $200 per year" for a credit monitoring service. I signed up for Kroll's service in June to judge what Kroll provides -- and what IBM arranged.

Other ID theft victims are judging Kroll, too. DCG wrote the following comment about the credit-monitoring service IBM arranged with Kroll:

"I'm an EX IBM'er also. I enrolled in this service.. It's a negotiated down version that's specific to IBM. They normally provide you with copies of your credit report from all 3 agencies. The deal with IBM does not provide this. Once you enroll, they need to "baseline" your credit - that means that they need to establish what lines of credit exist right now. If your ID is stolen already, you're screwed. It'll take 1-3 months from the date of enrolling before "Theftsmart" will start generating reports. There is zero data in my account right now.. Lovely service, eh?"

When I checked my Kroll account, I noticed that mine was empty, too. When I compared my Kroll account to another credit monitoring service I've had since 2004, Kroll's service seems (so far) insufficient with far less information. For example, my other credit-monitoring service provides the full text of my credit reports from the three national credit bureaus, plus a lot more detailed information about my credit status. My Kroll account doesn't.

If DCG's comments are true, then IBM has taken a huge shortcut -- the cheap route by arranging a watered-down version of Kroll's services. I am trying to keep an open mind... to continue comparing my two credit monitoring services. In a future blog entry, I'll share my findings.

For a different opinion, a reader at radioAe6rt posted these comments about Kroll:

"You’re lucky that IBM chose the best IMHO. If you check out [Kroll's] coverage, I believe that you will find that it also is a UNIQUE restoration coverage, in addition to having a monitoring benefit. In a data loss of non public information, IBM or any other company or organization, is liable for your losses plus fines under FACT. If a financial fraud is not contested within 60 days of the bill being mailed, then under FTC Regulation E, you owe that amount, even if it was mailed to a fake address. The average financial identity theft is over $93,000 and under FACTA, the company or organization is liable for that loss if the NPI data loss cause your identity theft. The few bucks they might save on a cheap MONITORING ONLY coverage, is minor compared to losing almost $100,000 per person. (Otherwise Penny wise, pound foolish)"

I will verify this reader's comments in future blog entries. More importantly, I get the impression that IBM's offer of free credit monitoring makes it easy for IBM to shift the liability for its data breach to the data breach victim. The logic: we've given you credit monitoring... if the victim doesn't check their credit, then it's their fault. I find this insulting... let's remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.

This reader also wrote:

"To large companies they [Kroll] offer a coverage similar to what we offer to individuals. Kroll is the only company which I know of that offers a TRUE “RESTORATION” coverage which does virtually all the work to RESTORE your identity or your spouse or significant other. The next best thing is a “RESOLUTION” coverage which is often advertised to sound like a “restoration” coverage. The next best thing gives you advise, but the victim does all the work for an average of OVER 600 hours of a trial and error that can turn into a nightmare. Almost 1/3 (27%) of those who do-it-themselves FAIL and never get their identity fixed, even after 5, 10, or more years. A restoration coverage has experts do virtually all the work to restore your identity by you just giving them a limited power of attorney to do the WORK FOR YOU, if a ID theft is discovered. The victim will still need to file a police report and maybe appear in court."

And:

"Kroll’s EXPERTS include former FBI and CIA agents, former law officers, forensic accountants, lawyers, etc. They are a 34+ year old publicly traded company with over 4,000 employees worldwide. They have been fighting identity theft for many years before the public became aware of it for the big corporations which are being hit. Then they decided they need to help those on the family side of identity theft. Most of the Identity theft services out there are only “monitoring” service either owned directly by the three main credit repositories (aka credit bureaus), or an affiliate who is reselling the services of these 3 companies. They may be offering the service under another name. I can send you more details about why restoration is the ONLY wise choice, and it can cost less than just a simple monitoring service. Ironically, a monitoring service can cost you DOUBLE what you can get the best KROLL coverage for at a discount, if the monitoring service charges full price to monitor each person in a couple."

Is this reader a Kroll employee or a paid consultant? I wonder.

Anyway, I can tell you this: I do not work for, nor am I affiliated with any computer manufacturing, software development, credit bureau, credit investigations, credit attorney, credit monitoring, or credit-consulting companies. You can rely on the fact that I've Been Mugged is independent. I've Been Mugged operates independently so my blog entries aren't tainted by corporate interests or hired consultants.

Like most other ID theft victims, I'm just an individual consumer trying to navigate a complicated ID-theft landscape which is full of potholes and detours. I am willing to ask the hard questions. I hope that you are, too.

What do you think of Kroll's services? If you are an IBM data breach victim, have you signed up for Kroll? Why or why not?

Next entry: Identity Theft Humor


A Conversation with IBM (Part 2)

On July 18, I discussed IBM's data breach with Mr. Windall White, a representative at IBM's North Carolina facility. During this phone conversation, Mr. White and I discussed my letter to Barbara Brickmeier, IBM's Vice President of Human Resources, since IBM's data breach notification came from Mrs. Brickmeier's office. Part One in this blog discussed questions about IBM's breach notification and the data breach. This blog entry covers more questions Mr. White and I discussed on July 18:

Does IBM still maintain archived data tapes with my personal data?

Mr. White explained that it has been IBM's policy to archive the personal data of former employees. After the "loss" of the back-up data tapes (with my 16-year-old data), IBM reconstructed the list of affected employees and former employees. To contact some former employees  (like me), IBM hired Kroll to search public records. So, IBM (and Kroll) now have my current personal data. Mr. White did not say how long IBM planned to continue to archive my personal data, or when (or if) IBM might destroy my personal data.

Why does IBM archive records with personal data of former employees?

Mr. White explained that it has been IBM's policy to archive personal data for all former employees since different states and courts have varying requirements for records retention. He also repeated the statements from IBM's breach notificcation about, "... for a variety of legal, tax, and other reasons, as well as to verify IBM employment." I reminded him that the personal data IBM originally had about me was 16 years old... not very useful for employment verification. i also reminded him that I have no relationship with IBM (e.g., pension, retirement account, 401-K account, etc.) so the "tax" reason seemed irrelevant. Again, I received the standard answer.

Mr. White also indicated that IBM's protocols were under review. It was hard for me to judge how sincere a statement this is. Is IBM truly reviewing its protocols regarding records retention, or is this a convenient (and vague) answer to get me to go away quietly?

How long does IBM plan to archive my personal data?

Again, Mr. White (and IBM) were vague in answering this question. Mr. White indicated that it has been IBM's policy to retain personal data for former employees. Mr. White did not indicate when, if at all, IBM would destroy my personal data. I emphasized with Mr. White that destroying the personal data of former employees would reduce the risk to both IBM and to me of any future data breaches. I left the phone call with the understanding that IBM was continuing to archive my personal data with no destruction date planned.

What processes is IBM using to protect my personal data?

I didn't expect IBM to divulge any trade secrets, but I did ask this question because I need to feel confident that IBM is doing everything it can to protect my personal data it archives. Again, Mr. White 's answers were vague and unhelpful.

Why did it take IBM 2.5+ months to notify me of their data breach?

First, I applaud IBM for notifying me of their data breach, especially since data breach notification is not required (yet) in the state (Massachusetts) where I live. Second, I asked this question since I received IBM's breach notification letter over 2 months after the data breach; plenty of time for identity thieves to do damage. I emphasized with Mr. White that I need to feel confident that IBM will contact me in the future in a more timely manner. Mr. White explained that IBM will use the IBM data breach notification web site and other means -- I assume to be surface postal mail and/or the telephone. My inquiry to IBM included my current e-mail address (which IBM hasn't used so far).

If other former IBM employees want to contact IBM, I've listed Mr. White's contact information below. Maybe you can get more detailed answers from IBM than I did:

Mr. Windall White
IBM, Inc.
3039 East Cornwallis Road
P.O. Box 12195
Research triangle Park, North Carolina 27709-2195
Phone: (919) 543-5246

Post-IBM-conversation thoughts and considerations: My biggest take-aways from my conversation with IBM were that: a) IBM has had, and still has, an internal policy to archive personal data for all employees, and b) to archive this data forever. This policy sounds like a huge C-Y-A move based on the off-chance that IBM may have to defend itself in a lawsuit. IBM's records retention policy may have been effective in past decades before digital data, the Internet and home computers, but the policy now appears antiquated and obsolete given today's data environment, security needs, and ID theft threats. (Example: under IBM's existing policy, it stored employees complete SS# and address. For increased security, many states today mandate retailers to stored only a partial employees' SS# and still perform the validation and checks required. IBM could do the same.)

I also wonder why IBM kept my personal data for 12 years; 16 years including the time Lotus archived it, too. IBM's records retention policy seems to fly against generally accepted retention guidelines. Bradley University has compiled tables with the federal and state laws for records retention by:

When I reviewed these tables, I noticed that most conditions for retention ended before 3 or 4 years. Only two Health Records conditions specified a longer retention period: 30 years for "Exposure and monitoring records," and "Employment physicals/medical exams." While I am not a legal or records retention expert, neither condition seems to apply to my situation. Nothing in the tables seem to valid IBM's decision to archive former employee data for 16 years, or more. I don't have any pension, retirement, 401-K, or active files with IBM; except for the new investigation file IBM has created due to their February 2007 data breach.

I'd probably have no problem with IBM archiving my personal data if either; a) IBM's record retention policy wasn't to archive former employee personal data forever, and b) I felt confident that IBM was doing everything possible to protect my personal data. There are just too many gaps and vague answers from IBM for me to feel confident. And, the one year of free credit monitoring just doesn't cover the risk period IBM's data breach has created.

What do you think? Are IBM's answers satisfactory to you? What do you make of the Bradley University tables about records retention?

Next entry: Identity Thieves Operate Quickly