I've Been Mugged readers may remember that in August of 2007, I was interviewed by the American Banker publication for a news story about the credit monitoring service IBM had arranged with Kroll. While this article has been available at the American Banker web site for a fee, I just learned that it is available for free in the media section at Kroll's web site.
Whether or not you work in the Information Technology (IT) profession, IT Project Failures is a well-written blog. Michael Krigsman chronicles the missteps, mishaps, fumbles, and failures by IT departments in corporations and in government agencies. Michael is a good friend and I hope that more IT professionals read his blog and learn from the examples.
In a recent post, Michael wrote about a data breach at The Hartford insurance company. Data breaches are just one of the many types of IT department fumbles and mishaps.
The Hartford's data breach reminded me a lot of IBM's data breach earlier this year, when IBM lost my personal data. After reading the news reports in PC World and Cleveland.com (Note: State of Ohio Insurance Director Mary Jo Hudson is asking good questions), both companies' data breaches have some similarities:
- Both companies lost backup data tapes
- Both companies claim the data tapes were "lost" and that there's no evidence that the lost data has been misused
- Both companies took more than a month to notify identity theft victims
- The data tapes included sensitive personal data like SS#'s and driver's license numbers, and
- Both companies offered the identity-theft victims one year of free credit monitoring
There are a couple differences. First, The Hartford was open and honest about the number of records exposed/stolen. To this day, IBM has never disclosed the number of records lost/stolen. It's difficult to trust a company that is not open and honest.
Second, The Hartford's data breach included lost/stolen customer information, while IBM's data breach included lost/stolen employee and former-employee information.
Now, back to the similarities...
It really seems dishonest when companies claim immediately after a data breach that there's no evidence of the data being stolen. First, the fact that they can't find the data tapes would be evidence enough. Second, identity criminals aren't going to announce that they've stolen or copied the tapes. Third, it'll be the identity-theft victims that discover the evidence, when identity thieves try to access their financial accounts or commit fraud in the ID-victims' names.
When companies make this claim of no evidence, they really need to be specific. Was their search for evidence only within the company? Did they approach law enforcement? Is their claim of 'no evidence' based on law enforcement's investigation?
Both companies seem to believe that one year of free credit monitoring is enough. It isn't. Identity theft victims have to monitor their financial and credit reports for a far longer time period than one year... like the rest of their lives. Both companies' data breach created this risk for the identity theft victims. So, the period of free credit monitoring should match the risk period.
"Here's what [IBM] didn't or would' say: How many ex-employees were affected. That they only initially contacted people who lived in states where laws required notification. The state of NC is reporting 53,000+ citizen's data was on the tapes. I live in FL and I have not as yet been able to find out how many residents here were affected."
Thats the first time I've seen number: 53,000 records in a single state. And North Carolina is not the largest state population-wise, like Texas, California, or New York.
I'm in a playful mood, so let's have some fun with math. Assume:
- IBM's employment is concentrated in about 10 states (20% of the US), and
- The number of "lost" records in each of those states was no greater than the number of lost records in North Carolina. (I'm being nice, too.)
10 states X 53,000 lost records per state = 530,000 total lost records
Half a million "lost" records. Wow! If I were IBM and I'd "lost" the personal data for about a half-million current and former employees, I wouldn't want to disclose it either. While that estimated number is nowhere near as huge as the 45 million records in the TJX data breach, it still isn't a small amount.
According to IBM's web site, it employed about 355,000 people worldwide in 2006. About 150,000 work in the USA. We know from news reports that the "lost" data tapes included records of both former and current employees, but mostly former employees. We also know from news reports that the data tapes were backup tapes, so I'm willing to give IBM the benefit of the doubt that they didn't "lose" the personal data for all of their current employees, just some of their current employees and a lot of former employees' records.
This seems plausible since we know from my conversation with IBM that IBM doesn't discard any former employee records. And, IBM's workforce has fluctuated with a high of about 405,000 in 1985. Use an annual workforce attrition rate between 4% and 8%, factor that for 30 to 35 historical years, and the pool of prior employee records is large enough to easily fund half a million lost records.
I know there are a lot of assumptions here, but my point is this: the number is big. Nobody wants to admit to a big number. If it was a small number, like a couple hundred or a thousand records, then I'd bet that IBM would have disclosed the number of lost records.
What do you think? How many records do you think IBM lost? Have you seen any estimates of the number of records "lost" in IBM's data breach?
After reading several blog posts about IBM's data breach, I have been surprised by the number of former employees who consider IBM's data breach letter a scam. From the Being Peter Kim blog:
"Has anyone been able to verify the authenticity of this whole thing? It has warning signs: 1) No Dates, 2) No street addresses, 3) "Kroll Fraud Solutions" is not listed with BBB, 4) Kroll.com does not list an ‘office’ in Des Moines, IA, 5) IBM’s websites to not have any information about any of this, 6) Major US news sites (CNN, NBC, ABC) do not have info on this. It all seems very suspicious!" [Posted by Jennifer on 30 June 2007]
From the Brain Lint blog:
"We received one of these too. Thinking it would be a clever scam and wondering if we should respond or ignore or pursue and turn them in… Or is this legit? No way to tell short of calling IBM. Number for Kroll is in the mail and will call but still…" [Posted by Lynn on 9 June 2007]
"I got the same letter, at first I thought it was a scam by the company offering the Identity Theft protection. I worked in Clearwater, FL for IBM back in 2000-2001 for Global Services. Was this a regional or divisional problem for IBM? I am contacting friends to see how many people were involved. It is ironic this happened RIGHT after the notices for suing over lost overtime went out to IBM employees?" [Posted by Former Blue on 12 June 2007]
"I just went through a pile of mail and found the same letter. Ironically, I never worked for IBM, although I did work for Lotus but left just before IBM acquired them in 1995. Like Lynn, I’ll be checking this thing every which way to make sure it’s not scam." [Posted by Jack on 18 June 2007]
Some skepticism is understandable given all of the phishing scams e-mail users endure. But I haven't received any phishing letters via postal mail. I hope that isn't an emerging trend.
While some skepticism is healthy and understandable, there are plenty of authoritative news sources and blogs to verify IBM's data breach, an IBM web site dedicated to the data breach, and IBM's breach letter posted at the New Hampshire Department of Justice web site.
The fact that some consumers are skeptical, raises some interesting issues:
- What responsibility do companies have to notify ID-theft victims (customers, employees, and former employees) via multiple communications channels? The above skepticism could be an indicator that an e-mail-only or postal-mail-only data breach notice is not enough.
- What responsibility do state governments have to facilitate data breach notifications? The example that comes to mind immediately is how the state of New Hampshire's Department of Justice posts data breach notifications on its web site.
- What responsibility do consumers have to verify via an alternate channel any data breach notifications received?
- Are the current data breach methods sufficient? Like anything else in life, standards change or evolve. So too should data breach notification methods.
"Staying on the sunny side of life, IBM informed me that the information had not surfaced anywhere and that it was in such a format that it required specialized equipment to access it. They also assured me that according to their extensive investigation, the information had simply been lost, not stolen. And also, they were really, really sorry about it. In exchange for being dumbasses, they have offered me a free year's membership in a credit monitoring service, which I accepted. The service looks pretty cool, and I bet [Kroll] threw a huge party when they got the IBM deal. I didn't have to provide any kind of payment information and the service would not be automatically renewed after IBM stopped paying, but of course I'm welcome to continue their service should I choose after my free period expires. Thanks IBM!"
I know how Shelby feels. IBM's carelessness has inconvenienced us both in time and money. Plus, the risk window (during which an identity thief could sell, resell, and/or abuse our personal data) extends far beyond IBM's one year of free credit monitoring offer. Thanks IBM!
Next entry: Opt-out Resources for Consumers (Part 2)
In a prior blog entry, I discussed IBM's data breach which affected an undisclosed number of current and former IBM employees. IBM offered its ID-theft victims one year of free credit monitoring with Kroll. This offer seemed attractive since prices range from "$50 to $200 per year" for a credit monitoring service. I signed up for Kroll's service in June to judge what Kroll provides -- and what IBM arranged.
Other ID theft victims are judging Kroll, too. DCG wrote the following comment about the credit-monitoring service IBM arranged with Kroll:
"I'm an EX IBM'er also. I enrolled in this service.. It's a negotiated down version that's specific to IBM. They normally provide you with copies of your credit report from all 3 agencies. The deal with IBM does not provide this. Once you enroll, they need to "baseline" your credit - that means that they need to establish what lines of credit exist right now. If your ID is stolen already, you're screwed. It'll take 1-3 months from the date of enrolling before "Theftsmart" will start generating reports. There is zero data in my account right now.. Lovely service, eh?"
When I checked my Kroll account, I noticed that mine was empty, too. When I compared my Kroll account to another credit monitoring service I've had since 2004, Kroll's service seems (so far) insufficient with far less information. For example, my other credit-monitoring service provides the full text of my credit reports from the three national credit bureaus, plus a lot more detailed information about my credit status. My Kroll account doesn't.
If DCG's comments are true, then IBM has taken a huge shortcut -- the cheap route by arranging a watered-down version of Kroll's services. I am trying to keep an open mind... to continue comparing my two credit monitoring services. In a future blog entry, I'll share my findings.
For a different opinion, a reader at radioAe6rt posted these comments about Kroll:
"You’re lucky that IBM chose the best IMHO. If you check out [Kroll's] coverage, I believe that you will find that it also is a UNIQUE restoration coverage, in addition to having a monitoring benefit. In a data loss of non public information, IBM or any other company or organization, is liable for your losses plus fines under FACT. If a financial fraud is not contested within 60 days of the bill being mailed, then under FTC Regulation E, you owe that amount, even if it was mailed to a fake address. The average financial identity theft is over $93,000 and under FACTA, the company or organization is liable for that loss if the NPI data loss cause your identity theft. The few bucks they might save on a cheap MONITORING ONLY coverage, is minor compared to losing almost $100,000 per person. (Otherwise Penny wise, pound foolish)"
I will verify this reader's comments in future blog entries. More importantly, I get the impression that IBM's offer of free credit monitoring makes it easy for IBM to shift the liability for its data breach to the data breach victim. The logic: we've given you credit monitoring... if the victim doesn't check their credit, then it's their fault. I find this insulting... let's remember that IBM caused the problem in the first place by exposing personal data for an undisclosed number of employees.
This reader also wrote:
"To large companies they [Kroll] offer a coverage similar to what we offer to individuals. Kroll is the only company which I know of that offers a TRUE “RESTORATION” coverage which does virtually all the work to RESTORE your identity or your spouse or significant other. The next best thing is a “RESOLUTION” coverage which is often advertised to sound like a “restoration” coverage. The next best thing gives you advise, but the victim does all the work for an average of OVER 600 hours of a trial and error that can turn into a nightmare. Almost 1/3 (27%) of those who do-it-themselves FAIL and never get their identity fixed, even after 5, 10, or more years. A restoration coverage has experts do virtually all the work to restore your identity by you just giving them a limited power of attorney to do the WORK FOR YOU, if a ID theft is discovered. The victim will still need to file a police report and maybe appear in court."
"Kroll’s EXPERTS include former FBI and CIA agents, former law officers, forensic accountants, lawyers, etc. They are a 34+ year old publicly traded company with over 4,000 employees worldwide. They have been fighting identity theft for many years before the public became aware of it for the big corporations which are being hit. Then they decided they need to help those on the family side of identity theft. Most of the Identity theft services out there are only “monitoring” service either owned directly by the three main credit repositories (aka credit bureaus), or an affiliate who is reselling the services of these 3 companies. They may be offering the service under another name. I can send you more details about why restoration is the ONLY wise choice, and it can cost less than just a simple monitoring service. Ironically, a monitoring service can cost you DOUBLE what you can get the best KROLL coverage for at a discount, if the monitoring service charges full price to monitor each person in a couple."
Is this reader a Kroll employee or a paid consultant? I wonder.
Anyway, I can tell you this: I do not work for, nor am I affiliated with any computer manufacturing, software development, credit bureau, credit investigations, credit attorney, credit monitoring, or credit-consulting companies. You can rely on the fact that I've Been Mugged is independent. I've Been Mugged operates independently so my blog entries aren't tainted by corporate interests or hired consultants.
Like most other ID theft victims, I'm just an individual consumer trying to navigate a complicated ID-theft landscape which is full of potholes and detours. I am willing to ask the hard questions. I hope that you are, too.
What do you think of Kroll's services? If you are an IBM data breach victim, have you signed up for Kroll? Why or why not?
Next entry: Identity Theft Humor
On July 18, I discussed IBM's data breach with Mr. Windall White, a representative at IBM's North Carolina facility. During this phone conversation, Mr. White and I discussed my letter to Barbara Brickmeier, IBM's Vice President of Human Resources, since IBM's data breach notification came from Mrs. Brickmeier's office. Part One in this blog discussed questions about IBM's breach notification and the data breach. This blog entry covers more questions Mr. White and I discussed on July 18:
Does IBM still maintain archived data tapes with my personal data?
Mr. White explained that it has been IBM's policy to archive the personal data of former employees. After the "loss" of the back-up data tapes (with my 16-year-old data), IBM reconstructed the list of affected employees and former employees. To contact some former employees (like me), IBM hired Kroll to search public records. So, IBM (and Kroll) now have my current personal data. Mr. White did not say how long IBM planned to continue to archive my personal data, or when (or if) IBM might destroy my personal data.
Why does IBM archive records with personal data of former employees?
Mr. White explained that it has been IBM's policy to archive personal data for all former employees since different states and courts have varying requirements for records retention. He also repeated the statements from IBM's breach notificcation about, "... for a variety of legal, tax, and other reasons, as well as to verify IBM employment." I reminded him that the personal data IBM originally had about me was 16 years old... not very useful for employment verification. i also reminded him that I have no relationship with IBM (e.g., pension, retirement account, 401-K account, etc.) so the "tax" reason seemed irrelevant. Again, I received the standard answer.
Mr. White also indicated that IBM's protocols were under review. It was hard for me to judge how sincere a statement this is. Is IBM truly reviewing its protocols regarding records retention, or is this a convenient (and vague) answer to get me to go away quietly?
How long does IBM plan to archive my personal data?
Again, Mr. White (and IBM) were vague in answering this question. Mr. White indicated that it has been IBM's policy to retain personal data for former employees. Mr. White did not indicate when, if at all, IBM would destroy my personal data. I emphasized with Mr. White that destroying the personal data of former employees would reduce the risk to both IBM and to me of any future data breaches. I left the phone call with the understanding that IBM was continuing to archive my personal data with no destruction date planned.
What processes is IBM using to protect my personal data?
I didn't expect IBM to divulge any trade secrets, but I did ask this question because I need to feel confident that IBM is doing everything it can to protect my personal data it archives. Again, Mr. White 's answers were vague and unhelpful.
Why did it take IBM 2.5+ months to notify me of their data breach?
First, I applaud IBM for notifying me of their data breach, especially since data breach notification is not required (yet) in the state (Massachusetts) where I live. Second, I asked this question since I received IBM's breach notification letter over 2 months after the data breach; plenty of time for identity thieves to do damage. I emphasized with Mr. White that I need to feel confident that IBM will contact me in the future in a more timely manner. Mr. White explained that IBM will use the IBM data breach notification web site and other means -- I assume to be surface postal mail and/or the telephone. My inquiry to IBM included my current e-mail address (which IBM hasn't used so far).
If other former IBM employees want to contact IBM, I've listed Mr. White's contact information below. Maybe you can get more detailed answers from IBM than I did:
Mr. Windall White
3039 East Cornwallis Road
P.O. Box 12195
Research triangle Park, North Carolina 27709-2195
Phone: (919) 543-5246
Post-IBM-conversation thoughts and considerations: My biggest take-aways from my conversation with IBM were that: a) IBM has had, and still has, an internal policy to archive personal data for all employees, and b) to archive this data forever. This policy sounds like a huge C-Y-A move based on the off-chance that IBM may have to defend itself in a lawsuit. IBM's records retention policy may have been effective in past decades before digital data, the Internet and home computers, but the policy now appears antiquated and obsolete given today's data environment, security needs, and ID theft threats. (Example: under IBM's existing policy, it stored employees complete SS# and address. For increased security, many states today mandate retailers to stored only a partial employees' SS# and still perform the validation and checks required. IBM could do the same.)
I also wonder why IBM kept my personal data for 12 years; 16 years including the time Lotus archived it, too. IBM's records retention policy seems to fly against generally accepted retention guidelines. Bradley University has compiled tables with the federal and state laws for records retention by:
When I reviewed these tables, I noticed that most conditions for retention ended before 3 or 4 years. Only two Health Records conditions specified a longer retention period: 30 years for "Exposure and monitoring records," and "Employment physicals/medical exams." While I am not a legal or records retention expert, neither condition seems to apply to my situation. Nothing in the tables seem to valid IBM's decision to archive former employee data for 16 years, or more. I don't have any pension, retirement, 401-K, or active files with IBM; except for the new investigation file IBM has created due to their February 2007 data breach.
I'd probably have no problem with IBM archiving my personal data if either; a) IBM's record retention policy wasn't to archive former employee personal data forever, and b) I felt confident that IBM was doing everything possible to protect my personal data. There are just too many gaps and vague answers from IBM for me to feel confident. And, the one year of free credit monitoring just doesn't cover the risk period IBM's data breach has created.
What do you think? Are IBM's answers satisfactory to you? What do you make of the Bradley University tables about records retention?
Next entry: Identity Thieves Operate Quickly
A prior blog entry discussed the letter I sent to Barbara Brickmeier, IBM's Vice President of Human Resources, since Mrs. Brickmeier's office sent the data breach notification. On July 16, Windall White, a representative at IBM's North Carolina facility called me. During a 75 minute phone conversation on July 18, Mr. White and I discussed my letter, question by question. Mr. White described himself as an IBM retiree, now working in IBM's Human Resources department, as part of IBM's focus on the data breach. IBM's answers to each of my questions are listed below:
How exactly did IBM verify that I was the correct person in their records?
I asked this question since IBM's letter was a surprise, because I have never worked for IBM. Mr. White verified that IBM acquired my personal data when IBM purchased Lotus Development Corporation in 1995. So, Lotus kept my personal data for about 4 years; and IBM kept my personal data for another 12 years. (For nostalgia, visit the Lotus Museum.)
I also asked this question because I was curious exactly how IBM located me, since I moved my residence twice since I worked at Lotus 16 years ago. Mr. White explained that IBM hired the Kroll risk consulting company both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees affected by its data breach. Mr. White explained that Kroll searched through public records databases to find former employees like me. He added that since the "lost" data tapes were backup tapes, IBM had to reconstruct the list of affected former employees. I asked whether Kroll used my SS# to do this search. Mr. White never answered that question. I interpreted his silence as a "yes."
While I appreciate IBM's diligence to locate and notify former employees affected by their data breach, I can't ignore the implications. First, IBM pursued an internal policy where it archived my personal data for at least 12 years. The data IBM had about me was 16 years old; old address information. Second, IBM pursued a data breach notification process where IBM updated its files with the current personal data for former employees. So now IBM had my current address information.
Third, both IBM and Kroll have my current personal data. In its efforts to protect itself from risk, IBM shared my personal data with another company without my knowledge or consent. If I hadn't asked IBM, I would have known any of this. I wonder how many other former IBM employees affected by IBM's data breach know where IBM shares their personal data. I do know that some former IBM employees are hesitant to trust Kroll since they were reccomended by IBM, who lost the data tapes which caused the problem. Fourth, if I use Kroll's credit monitoring service, will Kroll acting in my best interests? Consider: IBM pays Kroll for one year of free credit monitoring services for former employees who choose this option; and IBM pays Kroll for investigation projects. How objective can Kroll be?
What is the current status of IBM's investigation into the data tape "loss?"
I received IBM's data breach notification in May. It's now July... 2+ months later. I hadn't received any more correspondence from IBM since the data breach notification. Perhaps the tapes were found or the thieves caught; especially since IBM offered a reward for return of the "lost" data tapes. Or maybe IBM was now ready to disclose details about how the data tapes were "lost."
Mr. White was quite clear and unhelpful. According to Mr. White, IBM's position is still not to disclose details about the investigation, since it is an on-going investigation. He consistently referred to the incident as a "data tape loss." When I challenged Mr. White about "lost" versus "stolen," he mentioned two items, a) the vendor did not know the tapes' contents, and b) he didn't want to speculate as there wasn't any evidence that the tapes were stolen or the personal information was used by ID theft thieves.
IBM's response is very frustrating and unhelpful because it will likely be us former IBM employees and ID-theft victims who bear the ID-theft risk and bear the burden to continually check our credit reports. It will be us, not IBM, who will notice first on our credit reports the attempts by identity thieves to abuse our personal data. I guess then, when we tell IBM, IBM will know that the data tapes were "stolen" and not "lost."
Sounds to me like we are doing a job IBM should be doing.
Mr. White added that IBM did not disclose the details mentioned in the Computerworld article; that the Computerworld article was based on an Associated Press reporter's story, not information supplied by IBM. I found that I had to listen very closely to Mr. White's words. It was like talking with a lawyer. Mr. White didn't dispute the story as inaccurate. Mr. White just emphasized that IBM didn't release any details about the data tape "loss." To me, when I hear a statement like that it's an in-direct implication that the Computerworld news article was inaccurate.
Well, clear it up IBM! Release some details about the data breach incident. A good start would be the number of employee records stolen. Almost all other companies with data breaches release information about the number of records stolen. A good start would be the status of the vendor and some detail about the status of the investigation.
I also reminded Mr. White that since IBM has my personal data, I need to feel confident that IBM is doing everything IBM can to protect my data and retrieve the data tapes. Again, Mr. White didn't offer any details about IBM's data breach or IBM's investigation. He did confirm that IBM reported the incident to law enforcement. It felt like I was talking to a brick wall. This was frustrating, since IBM's "loss" of the data tapes created the problem which was now inconveniencing me. Mr. White was very polite about acknowledging my concerns, but at the same time unhelpful with providing any kind of details.
Does IBM still do business with the vendor that "lost" the data tapes?
An answer here was important to me for several reasons. First, you lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. Second, the details have implications. You hire a transportation vendor to deliver items from one location to another. A trustworthy vendor should be able to explain in detail any problems; but there shouldn't be any delivery problems. A trustworthy vendor should do criminal background checks on its employees. There are one set of implications if IBM's vendor didn't follow established IBM data security policies. There are a different set of implications if the vendor followed established IBM data security policies (meaning IBM's data security policies are deficient in some manner).
Third, news items which reported that the data tapes "fell off the back of the truck..." didn't inspire confidence in IBM's ability to protect my personal data. Mr. White explained that the vendor did not know the contents of the "lost" data tapes. Again, Mr. White didn't offer any details (e.g., vendor's name, whether or not IBM still uses this vendor, etc.) except vague, general statements that IBM has dedicated lots of resources to the problem and IBM doesn't want this to happen again.
In my view, vague statements aren't enough. Mr. White did confirm that the data tapes were backup tapes in transit from IBM's headquarters in Armonk, New York to an undisclosed location as part of IBM's data archive and disaster recovery process. Mr. White said IBM would never disclose the location of IBM's remote data backup facility. I didn't expect that, but I did expect some details about the status of the investigation about the vendor.
Based on these vague assurances, I still have no confidence that IBM will sufficiently protect my personal data. During the phone call, I felt that Mr. White was assigned to the data breach incident to "handle" callers like me. Mr. White kept a calm voice, acknowledged my concerns, but rarely offered in details. I guess IBM hopes that former employees like me will just go away and be happy with vague assurances.
What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again?
Assuming IBM decides to continue to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again. Once again, I heard vague statements from Mr. White about IBM devoting lots of resources to the data breach incident. No details... no amounts... no numbers of employees assigned.
And unfortunately this gets worse. An upcoming blog entry will cover more about my questions and IBM's answers.
Next entry: How to destroy a hard drive in 5 seconds
On July 5, 2007 I sent a letter to Barbara Brickmeier, VP of Human Resources at IBM, seeking clarification and answers about IBM's data breach incident. IBM's notification letter and FAQ page lacked detailed answers in several areas. My questions for IBM:
- How exactly did IBM verify that I was the correct person in their records? IBM's letter was a surprise since I never worked for IBM. I did work for Lotus Development (until 1991), which IBM bought in 1995. Maybe this was the answer, but I'd changed jobs and residence several times since I'd left Lotus.
- What is the current status of IBM's investigation into the data tape "loss?" It's been over 2 months since IBM first contacted me in May 2007. A lot could have happened since: the tapes found, the thieves caught, or IBM explained exactly how it "lost" their data tapes.
- Does IBM still do business with the vendor that "lost" the data tapes? IBM refers to the incident as, "data tapes were lost while being transported by a vendor" and didn't identify their vendor. You lose an umbrella or a hat. You don't "lose" data tapes with thousands of records with sensitive employee personal data. News items which reported that the data tapes "fell off the back of the truck...," didn't inspire confidence in IBM's ability to protect the personal data of employees and former employees.
- Does IBM still maintain archived data tapes with my personal data? After this data breach, I need to know whether or not IBM plans to continue to archive my personal data.
- What processes is IBM using to protect my personal data? Assuming IBM continues to archive my personal data, I need to feel confident that my personal data is safe at IBM. Given the nature of IBM's data breach, I don't feel confident in IBM protecting my data.
- What procedures has IBM put in place so that a data tape "loss" during transit doesn't happen again? Assuming IBM continues to archive my personal data, I need to know that IBM has made some type of effort so this incident doesn't happen again.
- How long does IBM plan to archive my personal data? Assuming IBM continues to archive my personal data, there seems to be a point of diminishing usefulness. My data is 16+ years old and largely inaccurate. Destroying the data seems ideal, since it would eliminate the risk to IBM of future data breaches, and would reduce the risk to me.
- Why does IBM archive records with personal data of former employees? It seemed odd for IBM to archive my personal data since I do not have a pension plan or retirement account with IBM. Nor am I on IBM's payroll, so there aren't any tax reasons to archive my personal data. The reasons IBM stated in their FAQ sheet ("...retains records of past employees for a variety of legal, tax, and other reasons, as well as to verify IBM employment when needed.") seemed vague and irrelevant to my situation. Plus, 16+ year-old data can't be very useful (or accurate) to verify employment.
- Why did it take IBM 2.5+ months to notify me of their data breach? The data breach occurred in February 2007. IBM notified me in May. The 2+ month period was plenty of time for identity thieves to cause damage. I'd like to feel confident that in the future IBM will notify me in a timely and prompt manner.
Maybe readers of I've Been Mugged have questions for IBM. If so, it'd be great to hear your questions. If you have already discussed your questions with IBM, I'd love to hear both your questions and the answers you received from IBM.
Next entry: to shred or not to shred
A prior blog entry discussed how IBM had lost data tapes containing the personal data for thousands of current and former employees. What was IBM's offer for the affected employees? One year of free credit monitoring. While a Fraud Alert is free, consumers can pay anywhere from "$50 to $200 per year" for a credit monitoring service.
I really do appreciate IBM's offer of free credit monitoring service for one year. Credit monitoring is wise because the 2003 FTC Identity theft survey found that consumers who monitor their credit tend to lose less money to identity theft and spend less time and money fixing the problem. About.com has a page that clearly explains the benefits of a credit monitoring service. However, a credit monitoring service has its limitations.
First, credit monitoring is like any other service. Some consumers like it, some say the value isn't there, and others prefer stronger protection. A recent BBB and Javelin study found that credit monitoring services uncovered about 11% of fraud. A credit monitoring service won't protect you against all types of identity theft, just the scams where the thief applies for credit, a loan, or a product purchase where the company checks with one of the three national credit bureaus for your credit data. An example, a credit monitoring service won't protect you when an identity thief gives law enforcement your stolen identity during a traffic stop or a crime.
Second, while credit monitoring is strongly recommended, paying for a credit monitoring service isn't for everyone. The Identity Theft Resource Center advises the following after a data breach:
Place a fraud alert with each bureau (asking companies to contact you prior to issuing credit) and request your free copy of the credit report. It is free because your information was breached. If asked, you are a potential victim of id theft... Check your report carefully for any irregularity...Use the annual credit reports system to monitor your credit report over the next year. Stagger them out by ordering one every four months.
According to the Security Breach Guide at the Privacy Rights Clearinghouse site:
"Every consumer, whether or not a victim of identity theft, can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert. See the Resources at the end of this guide for information on how to order your free report. In addition, laws in several states give individuals other opportunities to obtain free credit reports."
So, you can order your free annual credit report from all three national credit bureaus at once, or stagger when you receive them over several months.
Third, if you already have credit monitoring, then another offer of free credit monitoring is really minimal or no help at all. When IBM notified me, I had already established a credit monitoring service through my Discover Card 4 or 5 years earlier. At worst, IBM's offer is no help because it duplicates an existing credit monitoring service. At best, IBM's offer is an opportunity for me to compare over time two credit monitoring services and cancel the poorer service at the end of the year. What I did learn is this: make sure that whatever credit monitoring service you use, a)provides real-time alerts about inquiries into your credit file; and b) monitors all three national credit bureau services. My service monitored one, but it provided a free upgrade to all three credit bureaus. Obviously, I happily upgraded.
Fourth, IBM's offer of free credit monitoring for one year could be seen as a slick effort to shift focus and responsibility from IBM to the consumer and his/her credit monitoring service. IBM still has a duty to protect the personal data for all current and former employees, to inform us of IBM's processes to protect our data (e.g., through various required correspondence, IBM now has my current personal data), and to inform us of the results of its investigation about the data tape loss/theft. The credit monitoring service is not and should never be an excuse for any company to avoid responsibility for protecting the personal data it stores.
Fifth, IBM's offer of free credit monitoring for one year doesn't address the fact that the risk period of identity theft extends far beyond one year. IBM created this risk when their subcontractor lost (or stole) my personal data. Smart identity theft thieves can just sit on the data for 2 years or longer, and then use (or sell) the stolen data. Or it may take more than a year for the thief to sell the data and for a buyer to use the stolen personal data.
In my opinion, the length of the free credit monitoring service should match the risk period. IBM lost my personal data. There has to be a consequence when a company doesn't adequately protect personal data. If the free credit monitoring period doesn't match the risk period, then IBM has unfairly shifted the burden from themselves to the ID theft victim. In the instances where a victim already has a credit monitoring service, the company should reimburse the consumer for that risk period.
Moreover, IBM's offer is like giving me the sleeves from a vest. It does not solve the problem that led to the data tape loss/theft. It does not address IBM's internal process and policies, or lack of enforcement, which led up to an IBM contractor losing (or stealing) the employee data. It does not address IBM's responsibility to inform victims and to protect the personal data consumers have entrusted it with.
Next entry: protecting yourself
I described in a prior blog entry the notification I received from IBM in May 2007. One of the first things I did was search the Internet for news stories about IBM's data tape loss/theft. The more I read, the more discomfort I felt. The news item in ComputerWorld summed up IBM's data tape loss quite well:
When this article says things like, "The data tapes require a tape drive to be read..." it indicates that some, or all of IBM's data tapes, were not encrypted. The article in CIO magazine makes it clear that the lost/stolen data tapes contained personal data of mostly former IBM employees. Why weren't these tapes encrypted? Why such lax data security for personal data about former employees? Does IBM still do business with the contractor? Apparently, yes. Is anyone being held accountable about this incident? I have not received any communication from IBM with answers about these and similar questions. And as I read the news stories, it's unclear if the incident was a data tape loss or theft.
A May 2007 news article in informationWeek pretty much reflected the same story line:
Fell off the back of a truck? How could this happen? With annual revenues exceeding $90 billion dollars in 2006, IBM is one of the world's leading computer companies, if not the leading computer company, providing hardware, software, and services to companies worldwide. You may remember the TJX identity theft incident. Hackers broke into various TJX companies' computer systems over a two-year period and stole the personal data for over 45 million records/people. (I didn't shop at any TJX brand stores so I wasn't affected by this data breach.) Who did TJX hire to help them repair their systems? IBM!
In its 2006 Annual Report, IBM emphasizes its strategy around innovation:
IBM’s lines of business work together in a model defined by innovation and global integration, the twin imperatives that we believe are reshaping business and society in the 21st century. This ability to both innovate and integrate — and do so in ways that are truly global — is unique to IBM, and sets us apart from our competition. Last year was in many ways the culmination of our repositioning of IBM as an innovation company. Its most visible manifestation was our marketing and communications campaign around the theme, “What makes you special?”
Various IBM technicians write research papers, technical papers, and participate in conferences about information security. IBM also markets its white papers (example: this one is about security) through online distributors. At its web site, you can read plenty of case studies about how IBM security solutions benefit companies and governments. Heck... IBM even has an ethical hacking service where IBM technicians will hack or break into a client company's computer systems to test the client's information protection systems. In my opinion, being truly innovative means practicing what you preach, or walking the talk. It means employing the information security processes internally which you sell to other companies. There was nothing special or innovative about IBM's data tape loss in February 2007... an event where IBM's carelessness or negligence now inconveniences me (and other former employees) both with time and money.
For a company specializing in computing innovation, I expect far more. For a company emphasizing security solutions, I expect far more. And I have a right to expect far more because IBM has decided to continue to store my personal data.
So, how did IBM's data tape theft/loss happen? In my opinion and based on IBM's legacy businesses, IBM ought to know better about data security. Wait... let me revise that... IBM does know better about how to protect sensitive personal data. So why wasn't it done for records about former IBM employees? I wonder if either IBM didn't care about protecting the data of prior employees, or cared but didn't enforce its own information security processes internally. Either way, it stinks.
It is shocking to me -- and I hope to you -- that IBM has not held anyone accountable for the data tape loss, still does business with this unnamed (and still undisclosed) contractor, and hasn't communicated to people affected (me and other former employees) about what IBM is doing to protect our sensitive personal data so this doesn't happen again. Think of it this way... since this data breach happened at IBM, consider how many of your former employers aren't sufficiently protecting your personal data.
IBM seems rather tight-lipped about the whole identity loss/theft incident. The reason given in the news articles by an IBM spokesperson, McNeese, is for security reasons. That's a convenient rationale if your employees (or your contractor) have dropped the security ball in a big way. It's also after the event... our personal data is out there for patient thieves to use.
IBM's actions so far haven't made me to feel confident about their intent to protect my personal data. In future blog entries I will discuss in more detail IBM's actions, proposed solution for the data tape loss/theft, communications (or lack thereof), and the questions I have submitted to IBM. We'll see if IBM responds to my inquiry, and if so, how quickly and with what level of detail.
Next entry: fraud alerts
About May 2, 2007, I received a letter from IBM Corporation. It read in part:
"We are writing because of an incident that has resulted in the loss of information relating to your IBM employment, as we wanted to inform you about what happened and explain steps IBM is taking to help protect you."
This letter was startling because technically, I never worked for IBM. During the late 1980’s, I’d worked for a company, Lotus Development Corporation, which IBM later bought during the mid 1990’s after I’d left Lotus. So, before reading the letter I was wondering why IBM’s Vice President of Human Resources had written to me.
The letter also read:
"Recently, data tapes were lost while being transported by a vendor. Those tapes contained primarily archival IBM employment-related information, including Social Security numbers."
Yikes! The letter sent a chill through my spine. IBM had lost my most sensitive and valuable information including my Social Security number! I hadn’t heard anything about this in the news on TV or online. Now, despite my best efforts somebody else had lost my personal information, which was lost out there available to thieves!
Was I angry? You bet! The feeling is that I am now inconvenienced due to nothing I did, but due to the carelessness of somebody else. My attitude was (and still is), “You lost my data. Find it! And if you can’t, make it right somehow.”
After I calmed down, I continued to read the rest of the materials in the package IBM had sent. There was an application for pre-paid credit monitoring. (More about that in a future blog entry.) The package also contained a list of questions and answers. One item in particular stuck out:
"When were the tapes lost? February 23, 2007."
Why did it take IBM more than two months to contact me? the letter didn't say anything specific beyond a vague description about "taking several weeks to investigate the incident." I can't imagine why it took IBM about 2 and a half months to investigate the theft and to notify me. My personal information could have been used during this long period. IBM's slowness with communicating affected my ability to protect myself against identity theft.
More questions for IBM. When I receive an answer I will post it on this blog.
Next entry: what's the big deal about identity theft?