I described in a prior blog entry the notification I received from IBM in May 2007. One of the first things I did was search the Internet for news stories about IBM's data tape loss/theft. The more I read, the more discomfort I felt. The news item in ComputerWorld summed up IBM's data tape loss quite well:
When this article says things like, "The data tapes require a tape drive to be read..." it indicates that some, or all of IBM's data tapes, were not encrypted. The article in CIO magazine makes it clear that the lost/stolen data tapes contained personal data of mostly former IBM employees. Why weren't these tapes encrypted? Why such lax data security for personal data about former employees? Does IBM still do business with the contractor? Apparently, yes. Is anyone being held accountable about this incident? I have not received any communication from IBM with answers about these and similar questions. And as I read the news stories, it's unclear if the incident was a data tape loss or theft.
A May 2007 news article in informationWeek pretty much reflected the same story line:
Fell off the back of a truck? How could this happen? With annual revenues exceeding $90 billion dollars in 2006, IBM is one of the world's leading computer companies, if not the leading computer company, providing hardware, software, and services to companies worldwide. You may remember the TJX identity theft incident. Hackers broke into various TJX companies' computer systems over a two-year period and stole the personal data for over 45 million records/people. (I didn't shop at any TJX brand stores so I wasn't affected by this data breach.) Who did TJX hire to help them repair their systems? IBM!
In its 2006 Annual Report, IBM emphasizes its strategy around innovation:
IBM’s lines of business work together in a model defined by innovation and global integration, the twin imperatives that we believe are reshaping business and society in the 21st century. This ability to both innovate and integrate — and do so in ways that are truly global — is unique to IBM, and sets us apart from our competition. Last year was in many ways the culmination of our repositioning of IBM as an innovation company. Its most visible manifestation was our marketing and communications campaign around the theme, “What makes you special?”
Various IBM technicians write research papers, technical papers, and participate in conferences about information security. IBM also markets its white papers (example: this one is about security) through online distributors. At its web site, you can read plenty of case studies about how IBM security solutions benefit companies and governments. Heck... IBM even has an ethical hacking service where IBM technicians will hack or break into a client company's computer systems to test the client's information protection systems. In my opinion, being truly innovative means practicing what you preach, or walking the talk. It means employing the information security processes internally which you sell to other companies. There was nothing special or innovative about IBM's data tape loss in February 2007... an event where IBM's carelessness or negligence now inconveniences me (and other former employees) both with time and money.
For a company specializing in computing innovation, I expect far more. For a company emphasizing security solutions, I expect far more. And I have a right to expect far more because IBM has decided to continue to store my personal data.
So, how did IBM's data tape theft/loss happen? In my opinion and based on IBM's legacy businesses, IBM ought to know better about data security. Wait... let me revise that... IBM does know better about how to protect sensitive personal data. So why wasn't it done for records about former IBM employees? I wonder if either IBM didn't care about protecting the data of prior employees, or cared but didn't enforce its own information security processes internally. Either way, it stinks.
It is shocking to me -- and I hope to you -- that IBM has not held anyone accountable for the data tape loss, still does business with this unnamed (and still undisclosed) contractor, and hasn't communicated to people affected (me and other former employees) about what IBM is doing to protect our sensitive personal data so this doesn't happen again. Think of it this way... since this data breach happened at IBM, consider how many of your former employers aren't sufficiently protecting your personal data.
IBM seems rather tight-lipped about the whole identity loss/theft incident. The reason given in the news articles by an IBM spokesperson, McNeese, is for security reasons. That's a convenient rationale if your employees (or your contractor) have dropped the security ball in a big way. It's also after the event... our personal data is out there for patient thieves to use.
IBM's actions so far haven't made me to feel confident about their intent to protect my personal data. In future blog entries I will discuss in more detail IBM's actions, proposed solution for the data tape loss/theft, communications (or lack thereof), and the questions I have submitted to IBM. We'll see if IBM responds to my inquiry, and if so, how quickly and with what level of detail.
Next entry: fraud alerts