After reading several blog posts about IBM's data breach, I have been surprised by the number of former employees who consider IBM's data breach letter a scam. From the Being Peter Kim blog:
"Has anyone been able to verify the authenticity of this whole thing? It has warning signs: 1) No Dates, 2) No street addresses, 3) "Kroll Fraud Solutions" is not listed with BBB, 4) Kroll.com does not list an ‘office’ in Des Moines, IA, 5) IBM’s websites to not have any information about any of this, 6) Major US news sites (CNN, NBC, ABC) do not have info on this. It all seems very suspicious!" [Posted by Jennifer on 30 June 2007]
From the Brain Lint blog:
"We received one of these too. Thinking it would be a clever scam and wondering if we should respond or ignore or pursue and turn them in… Or is this legit? No way to tell short of calling IBM. Number for Kroll is in the mail and will call but still…" [Posted by Lynn on 9 June 2007]
"I got the same letter, at first I thought it was a scam by the company offering the Identity Theft protection. I worked in Clearwater, FL for IBM back in 2000-2001 for Global Services. Was this a regional or divisional problem for IBM? I am contacting friends to see how many people were involved. It is ironic this happened RIGHT after the notices for suing over lost overtime went out to IBM employees?" [Posted by Former Blue on 12 June 2007]
"I just went through a pile of mail and found the same letter. Ironically, I never worked for IBM, although I did work for Lotus but left just before IBM acquired them in 1995. Like Lynn, I’ll be checking this thing every which way to make sure it’s not scam." [Posted by Jack on 18 June 2007]
Some skepticism is understandable given all of the phishing scams e-mail users endure. But I haven't received any phishing letters via postal mail. I hope that isn't an emerging trend.
While some skepticism is healthy and understandable, there are plenty of authoritative news sources and blogs to verify IBM's data breach, an IBM web site dedicated to the data breach, and IBM's breach letter posted at the New Hampshire Department of Justice web site.
The fact that some consumers are skeptical, raises some interesting issues:
- What responsibility do companies have to notify ID-theft victims (customers, employees, and former employees) via multiple communications channels? The above skepticism could be an indicator that an e-mail-only or postal-mail-only data breach notice is not enough.
- What responsibility do state governments have to facilitate data breach notifications? The example that comes to mind immediately is how the state of New Hampshire's Department of Justice posts data breach notifications on its web site.
- What responsibility do consumers have to verify via an alternate channel any data breach notifications received?
- Are the current data breach methods sufficient? Like anything else in life, standards change or evolve. So too should data breach notification methods.