Oil giant BP has admitted to losing a laptop containing the names and private information of 13,000 people who filed compensation claims after the Gulf of Mexico oil spill last year.
The laptop, which contains a spreadsheet of the names, phone numbers, addresses, dates of birth and social security numbers of claimants, was password-protected but not encrypted.
The company says it immediately reported the incident to law enforcement and company security, and has sent letters to individuals whose data was stored on the computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored.
“There is no evidence that the laptop or data was targeted or that anyone’s personal data has in fact been compromised or accessed in any way,” a BP spokesman said in a statement.
The laptop was lost by a BP employee on 1 March, while on a business trip. BP says it cannot release any information about where or when the laptop computer was lost, to prevent the investigation from being jeopardised.
“Leaving sensitive data on individuals such as this unencrypted is bad enough: when you factor in the legal importance of the data, and the scale of the event which made BP record it in the first place, it becomes inexplicable,” he added.
McIntosh compared the incident to the loss of an unencrypted data backup tape by Zurich Insurance, during an apparent routine transfer to a data storage centre in South Africa in 2008 . The tape contained the financial personal information of around 46,000 policy holders, but the loss was not reported until more than a year later.
Although BP has come clean quicker, McIntosh is not impressed: “BP may claim that it has been investigating the incident during the victims’ month-long wait for information, but this seems similar to the actions that resulted in Zurich Insurance receiving a record fine from the FSA last year: too little, much too late.”
In the UK, Zurich also came under fire from the Information Commissioner’s Office, which has been coming down hard on institutions in the UK that are responsible for data breaches in recent months. Reports suggest the ICO is currently preparing to issue its fifth data breach penalty, after it was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010.
“Data controllers should realise, if they let consumers down, a fine from the ICO will be the Mark of Cain,” said the information commissioner Christopher Graham.
Of the four fines issued so far, three have been to public sector organisations. Research by enterprise software provider Software AG last summer revealed that 50 percent of public sector organisations have no idea about secure data transfer.
During the actual oil spill, BP had a big job of crisis management and public relations on its hands. It was revealed that the company bought keywords like “oil spill” on Google to increase visibility of its response site, and also had trouble handling a public suggestions box.
Meanwhile, other technology companies capitalised on the mishap. Intel announced its supercomputers were helping, while HP claimed its sensors could help avert similar troubles in future.
Digital transformation is an ongoing journey, requiring continuous adaptation, strong leadership, and skilled talent to…
Australian computer scientist faces contempt-of-court claim after suing Jack Dorsey's Block and Bitcoin Core developers…
OpenAI's ChatGPT gets search features, putting it in direct competition with Microsoft and Google, amidst…
New Google Maps allows users to ask for detailed information on local spots, adds AI-summarised…
US-sanctioned Huawei sees sales surge in first three quarters of 2024 on domestic smartphone popularity,…
Apple posts slight decline in China sales for fourth quarter, as Tim Cook negotiates to…
View Comments
Over the course of the last 10 years, I have been notified about TWO DOZEN times by the federal government that my Social Security number and associated personal data has been compromised through this kind of loss. Those were only the incidents that were reported, and many of the losses included the data of hundreds of thousands of individuals!
Not that we should ever use the US Government as a standard for personal ID security, but, hey, let's keep things in perspective and recognize that this report includes no evidence that the data has been 'captured' and used for a malicious intent.
your a mink mike...shut up