BP Spills Personal Data Of 13,000 Oil Leak Victims

Oil giant BP has admitted to losing a laptop containing the names and private information of 13,000 people who filed compensation claims after the Gulf of Mexico oil spill last year.

The laptop, which contains a spreadsheet of the names, phone numbers, addresses, dates of birth and social security numbers of claimants, was password-protected but not encrypted.

The company says it immediately reported the incident to law enforcement and company security, and has sent letters to individuals whose data was stored on the computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored.

“There is no evidence that the laptop or data was targeted or that anyone’s personal data has in fact been compromised or accessed in any way,” a BP spokesman said in a statement.

Data mishandling

The laptop was lost by a BP employee on 1 March, while on a business trip. BP says it cannot release any information about where or when the laptop computer was lost, to prevent the investigation from being jeopardised.

“This loss reminds us in the UK that it’s not just the public sector that can come under fire for mishandling data: even the largest of businesses can show inexcusable carelessness with individuals’ sensitive information,” said Chris McIntosh, CEO of encryption expert Stonewood, commenting on the news.

“Leaving sensitive data on individuals such as this unencrypted is bad enough: when you factor in the legal importance of the data, and the scale of the event which made BP record it in the first place, it becomes inexplicable,” he added.

McIntosh compared the incident to the loss of an unencrypted data backup tape by Zurich Insurance, during an apparent routine transfer to a data storage centre in South Africa in 2008 . The tape contained the financial personal information of around 46,000 policy holders, but the loss was not reported until more than a year later.

Although BP has come clean quicker, McIntosh is not impressed: “BP may claim that it has been investigating the incident during the victims’ month-long wait for information, but this seems similar to the actions that resulted in Zurich Insurance receiving a record fine from the FSA last year: too little, much too late.”

ICO cracks down on data loss

In the UK, Zurich also came under fire from the Information Commissioner’s Office, which has been coming down hard on institutions in the UK that are responsible for data breaches in recent months. Reports suggest the ICO is currently preparing to issue its fifth data breach penalty, after it was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010.

“Data controllers should realise, if they let consumers down, a fine from the ICO will be the Mark of Cain,” said the information commissioner Christopher Graham.

Of the four fines issued so far, three have been to public sector organisations. Research by enterprise software provider Software AG last summer revealed that 50 percent of public sector organisations have no idea about secure data transfer.

Oil spill – the PR winners and losers

During the actual oil spill, BP had a big job of crisis management and public relations on its hands. It was revealed that the company bought keywords like “oil spill” on Google to increase visibility of its response site, and also had trouble handling a public suggestions box.

Meanwhile, other technology companies capitalised on the mishap. Intel announced its supercomputers were helping, while HP claimed its sensors could help avert similar troubles in future.

Sophie Curtis

View Comments

  • Over the course of the last 10 years, I have been notified about TWO DOZEN times by the federal government that my Social Security number and associated personal data has been compromised through this kind of loss. Those were only the incidents that were reported, and many of the losses included the data of hundreds of thousands of individuals!

    Not that we should ever use the US Government as a standard for personal ID security, but, hey, let's keep things in perspective and recognize that this report includes no evidence that the data has been 'captured' and used for a malicious intent.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

3 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

3 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

4 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

4 days ago