04:28 PM

EXCLUSIVE: Laptop Theft Puts GMAC Customers' Data At Risk

Personal data, including Social Security numbers, for about 200,000 GMAC Financial Services customers may have been compromised due to the theft of two laptop computers from an employee's car.

A division of GMAC Financial Services has been quietly informing about 200,000 of its customers that their personal data may have been compromised due to the theft of two laptop computers from an employee's car at a regional office near Atlanta.

In a letter to its personal insurance customers, GMAC Insurance indicates that "a random theft" of the laptops from a locked vehicle may have left them vulnerable to identify theft. The letter obtained by InformationWeek indicates that the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status, and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter advises customers. The letter was dated March 12. The theft took place on Jan. 26.

One GMAC Insurance customer who received the letter says he was stunned to learn the company stored such personal data on laptops. "I'm not sure how or who determines what constitutes 'secure' when it comes to customers' personal information," the customer says in an E-mail interview. "However, if company guidelines deem it acceptable to house that data on laptops, in parked cars, then I would question their competence to establish any process and procedure to ensure the security of any data anywhere." The customer, who describes himself as a 30-year IT veteran, asked that his name be withheld.

A spokesman for GMAC Insurance says the company is reviewing its policies in light of the incident. "We are undertaking a comprehensive review of our security policies and procedures," he says. Among other things, he adds, GMAC Insurance now prohibits employees from transporting "certain types of information" on laptops and is evaluating new encryption technologies. The stolen laptops were password-protected but not encrypted, he says. The spokesman says the data was being used for a marketing research project. He declined to say if any employees were disciplined as a result of the theft, which police have not solved.

Corporate security experts generally advise businesses to store sensitive data on secure servers. They usually recommend that employees requiring the data access it through the server via secure lines and not store it locally.

However, such safeguards are often an afterthought at many businesses. "There are not a lot of companies that have good procedures for protecting data, it's common for workers to take sensitive data home on an unprotected laptop," Gartner security analyst Avivah Litan says.

That may be part of the reason why identity theft has become a problem that's costing consumers and businesses billions of dollars. According to research published by the Federal Trade Commission in September, 4.6% of consumers the FTC surveyed reported that they were a victim of some form of identity theft. The FTC estimates that identity theft cost businesses $33 billion in 2002.

Legislators are hoping tougher regulations will help curb the problem. Under a law passed last year in California, companies doing business in that state are required to notify any customers who are California residents of any improper release of their personal data. U.S. Sen. Dianne Feinstein, D.-Calif., has introduced a similar bill at the federal level. Litan believes more high-profile data leaks could lead to more regulation. "The problem is becoming rampant so clearly more action is needed," she says.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.