A laptop containing personal data -- including Social Security numbers -- of 13,000 District workers and retirees was stolen Monday from the Southeast Washington home of an employee of ING U.S. Financial Services, the company said yesterday.
ING, which administers the District's retirement plan, known as DCPlus, notified the city about the theft late Friday.
The company is mailing a letter to all affected account holders to alert them to the risk of someone using the information to commit identity theft, spokeswoman Caroline Campbell said. The company is also telling customers that it will set up and pay for a year of credit monitoring and identity fraud protection.
The laptop was not protected by a password or encryption, Campbell said. Encryption safeguards information by scrambling it into indecipherable codes.
"We are concerned that this information was being managed without protection," said Mary Ann Young, spokeswoman for the city's chief financial officer. City officials also said they were disturbed that ING waited five days to inform them of the theft. Young said the District expects to get a thorough briefing from ING about the incident this week.
Campbell said ING did not alert the District sooner because it took several days for the company to figure out what the laptop contained.
A Social Security number can be used by thieves to open new lines of credit in the victim's name. In the past 15 months, more than 85 million U.S. consumers have been told that their personal or financial data might have been compromised because of data breaches, disgruntled employees or incompetence.
Last month, the U.S. Department of Veterans Affairs announced that the personal information of 26.5 million veterans and military personnel was endangered after a laptop and external hard drive were stolen from an employee's home in Montgomery County.
ING executives say that they believe that their computer was stolen for its value as hardware and that thieves may not have been aware of the data it contained. ING said it is working with District police and has hired a private investigative firm.
D.C. police Sgt. Joe Gentile could not confirm the burglary yesterday nor give any details about the incident.
The ING employee did not violate company procedures by taking home a laptop containing such sensitive data, Campbell said.
"A lot of our advisers are on the road a lot, and it's not unusual for them to have a laptop and to take it home," she said.
Monday's burglary has prodded ING to analyze whether any of its other 5,000 laptops in circulation across the country lack adequate protection, Campbell said. Steve Van Wyk, the company's chief information officer, said he did not know how many of its computers lacked security measures but believed it was a small number.
"For us, this is very unfortunate," Campbell said. "But we're moving forward, we're very focused and committed to find any other laptops that don't have encryption software and to fix that. This incident revealed a gap."
It wasn't the first time, however. Two ING laptops that carried sensitive data affecting 8,500 Florida hospital workers were stolen in December, and neither was encrypted, said Chuck Eudy, an ING spokesman.
[an error occurred while processing this directive]