[ISN] Time Warner says data on 600,000 workers lost
InfoSec News
isn at c4i.org
Wed May 4 02:37:40 EDT 2005
http://www.computerworld.com/securitytopics/security/story/0,10801,101500,00.html
By Lucas Mearian
MAY 02, 2005
COMPUTERWORLD
Time Warner Inc. reported today that a shipment of backup tapes with
personal information of about 600,000 current and former employees
went missing more than a month ago during a routine shipment to an
offsite storage site.
The tapes, part of a routine shipment being taken to the site by
off-site data storage company Iron Mountain Inc. didn't include data
about Time Warner customers, the company said in a statement.
The company told employees today that the data tapes went missing
March 22.
We are providing current and former employees with resources to
monitor their credit reports while our investigation continues. We are
working closely and aggressively with law enforcement and the outside
data storage firm to get to the bottom of this matter,. said Larry
Cockell, Time Warner.s chief security officer.
The U.S. Secret Service is working with both Time Warner and
Boston-based Iron Mountain to investigate the missing tapes.
The $42 billion media company said in a statement that there is no
evidence that the data has have been illegally accessed or misused.
The company said it has contacted major credit agencies -- Equifax,
Experian and Trans Union -- about the data loss.
After determining that publicizing the data loss wouldn't interfere
with the investigation, Time Warner posted a statement about it on its
Web site, as well as a letter to its employees about the incident and
an FAQ.
In the letter to employees, Time Warner said the missing tapes
contained data such as names and Social Security numbers of current
and former U.S.-based employees, their dependents and beneficiaries.
Cockell said in the statement to employees that the company has made
arrangements with Equifax to offer U.S. employees a free subscription
to Equifax.s Credit Watch Gold credit monitoring service to help
protect identity and credit information for 12 months.
Time Warner's disclosure follows on the heels of other high-profile
security breaches in the U.S. In March, a laptop containing data on
100,000 graduate students, alumni and applicants from the University
of California, Berkeley, was stolen from a campus office.
Bart Lazar, a privacy and intellectual property lawyer and partner in
the law firm of Seyfarth Shaw Llp. in Chicago, said that as data loss
incidents pile up, thereÕs greater potential that firms found
responsible will have to change their data security standards. Most of
the pressure, he said, may come not from Congress but from insurance
companies that will require more stringent safeguards before signing
with a client.
Part of the problem, Lazar said, is that companies don't have proper
chain-of-custody requirements or encyption technology in place.
"I've dealt with many of these companies, and if you ask them what
happens with their data ... they can't chart it," he said. "Or the
companies know what to do and they just haven't committed the
resources to do it. Companies have to deploy their resources. I don't
know what SANS [Institute] says the spending on security is, but it's
not huge."
Lazar said data loss incidents will also likely give rise to more
companies turning to internal data protection schemes instead of using
third-party service providers or external data processors.
These big incidents [are] what leads to consciousness raising and may
lead to reasonable security standards, he said.
Reuters contributed to this report.
More information about the ISN
mailing list