T-Mobile reports ID-theft risk

October 20, 2006

By Mike Rogoway


A laptop containing the Social Security numbers and other personal information of T-Mobile USA Inc. employees recently disappeared, putting as many as 43,000 current and former workers at risk of identity theft.

However, the company based in Bellevue, Wash., says there is no indication the laptop contained customer information.

In a letter to employees dated Oct. 14 and obtained Thursday by The Oregonian, T-Mobile Vice President Manny Sousa said the laptop in question disappeared from an employee's checked luggage. The laptop was protected by a password, according to the company, and Sousa's letter says T-Mobile has "no reason to believe that any employee information has been improperly accessed."

T-Mobile operates a call center in Salem where several hundred people work. Rex White Jr., a former employee of the call center now living in Utah, said he received the letter but was unhappy the company hadn't done more to publicize the theft.

T-Mobile said Thursday it was preparing a statement on the situation, but it would not comment further.

A company operator, though, confirmed the laptop theft and said T-Mobile sent 43,000 letters to current and former employees notifying them they are at risk. T-Mobile, a subsidiary of Deutsche Telekom, the German phone company, employs about 22,600.

T-Mobile's lost computer is the latest in a series of corporate security breaches that put many companies in the awkward position of notifying employees or customers that their personal information is at risk. In January, Providence Health System told 365,000 patients that electronic data stolen from a residential neighborhood contained their personal identifying data and sensitive medical information.

In that case, a Providence employee took home computer disks and tapes, and left them in his van overnight. So far, authorities have not linked any cases of fraud or identity theft to the stolen records.

In T-Mobile's case, the company said its computer disappeared from checked airplane luggage belonging to an unidentified employee flying between unnamed cities. The company's letter did not say when its laptop disappeared.

T-Mobile's lost laptop "may have contained certain sensitive employee information including data such as name, address, home phone number, Social Security number, date of birth and compensation information," Sousa wrote. It apparently did not contain credit card or driver's license data, he said.

The company said it will pay for a year of credit monitoring for employees whose data may have been on the laptop.

T-Mobile's letter said its policy for storing sensitive information on laptops "was not followed in this case," but the company did not indicate how the policy was violated or if any disciplinary action was taken.

Data breaches can be extremely costly for businesses. Providence expects to spend $7 million to $9 million providing credit protection to all whose records were stolen, and the company is facing a class-action lawsuit seeking damages.

The Providence case revived efforts by Oregon lawmakers to enact stronger privacy protections. Oregon has no law requiring companies to report security breaches, unlike California, Washington and at least 23 other states.

main page ATTRITION feedback