Data Lost on 650,000 Credit Card Holders

January 17, 2008

By David Koenig, AP Business Writer

Personal information on about 650,000 customers of J.C. Penney and up to 100 other retailers could be compromised after a computer tape went missing.

GE Money, which handles credit card operations for Penney and many other retailers, said Thursday night that the missing information includes Social Security numbers for about 150,000 people.

The information was on a backup computer tape that was discovered missing last October. It was being stored at a warehouse run by Iron Mountain Inc., a data storage company, and was never checked out but can't be found either, said Richard C. Jones, a spokesman for GE Money, part of General Electric Capital Corp.

Jones said there was "no indication of theft or anything of that sort," and no evidence of fraudulent activity on the accounts involved.

Iron Mountain spokesman Dan O'Neill said it would take specialized skills for someone to glean the personal data from the tape. He said the company regretted losing the tape, "but because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes."

Penney said it had been told of the situation and referred further inquiries to GE Money.

Jones declined to identify the other retailers whose customers' information is missing but said "it includes many of the large retail organizations."

Jones said GE Money was paying for 12 months of credit-monitoring service for customers whose Social Security numbers were on the tape.

Incidents like this add to consumer concern about fraud. The Identity Theft Resource Center says there was a six-fold increase last year in the number of records reported compromised in the United States . to 125 million.

Data breaches can stem from hacking, as well as the physical loss or theft of computers of data storage equipment.

TJX Cos., owner of the T.J. Maxx and Marshalls retail chains, reported last year that tens of millions of credit and debit card owners were exposed to fraud when hackers stole data while it was being transmitted wirelessly.

It took GE Money two months to reconstruct the missing tape and identify the people whose information was lost. Since December, the company has been notifying consumers in batches of several thousand and telling them to phone a call center set up to deal with the breach. The notification is expected to be completed next week.

Penney's card holder Elizabeth Rich of Everett, Wash., got one of the GE Money letters saying her name, address and account number may have been compromised. She was told her Social Security number was not on the tape.

The letter, signed by GE Money President Brent P. Wallace, read in part, "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."

Wallace said in the letter that Penney "was in no way responsible for this incident."

The Penney name didn't appear on the envelope Rich received, and she thought it was a credit solicitation when she saw the GE Money return address.

"I think the average consumer has thrown away that GE Money letter because they don't know it's about J.C. Penney," Rich said. "Not everybody opens junk mail."

Rich said she canceled her Penney card immediately.

main page ATTRITION feedback