GE Money Backup Tape With 650,000 Records Missing At Iron Mountain
Iron Mountain can't find a backup tape belonging to GE Money that contains information on customers of J.C. Penney and about 100 other retailers.
"How are companies really doing when it comes to records management?" That's the question data storage service provider Iron Mountain asks on its Web site.
Really, companies -- and Iron Mountain -- could do better. Iron Mountain can't find a backup tape belonging to GE Money that contains the personal information of some 650,000 customers of J.C. Penney and about 100 other retailers. GE Money handles credit card processing for the affected retailers.
The missing data includes about 150,000 social security numbers, according to an Associated Press report.
GE Money requested the backup tape from an Iron Mountain vault in October, according to a statement issued by Iron Mountain. When the tape could not be located, Iron Mountain personnel began looking for it. The tape remains unaccounted for.
"We believe this is an unfortunate case of a misplaced tape; there has been no evidence to suggest that the media was obtained by unauthorized persons or has been misused in anyway," Iron Mountain said in an e-mailed statement. "We also understand the tape was created in such a manner to make unauthorized access extremely unlikely and difficult, even for experts with specialized knowledge and technology."
A spokesperson for GE Money did not immediately respond to a request for comment.
GE Money is reportedly paying for a year of credit monitoring service to help protect those whose social security numbers were on the tape from identity theft.
Iron Mountain, however, insists that identity theft isn't an issue. "An accidental loss of a back-up tape is not an identity theft issue or a crime; it is distinctly different from previous cases of malicious hacking or PC theft," the company said. "Since we notified GE Money of the missing back-up tape in October, there has been no evidence to suggest that any person's identity has been compromised as a result. And we don't know of any incident, ever, when a lost back-up tape has resulted in identity theft."
The Identity Theft Resource Center put the number of publicly reported data breaches in the United States at 446 for 2007. It identified 312 data breaches in 2006 and 158 in 2005. But not everyone believes data breaches are rising. A blogger who goes by the name "Dissent" recent published an analysis of data breach statistics that finds a decrease in data breaches and records exposed.
According to a study conducted by the Ponemon Institute, an independent information practices research group, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.
However, such statistics clearly don't apply in every case. By that measure, TJX's loss of as many as 94 million customer records in a breach reported a year ago would cost the company $18.5 billion, about 50% more than its current market capitalization. To judge by the company's stock performance over the past year, whatever brand damage occurred as a result of the breach hasn't significantly affected the company's revenue.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.