An unencrypted BP laptop that contained the details of 13,000 Louisiana residents has been lost.
According to the Press Association, the 13,000 Louisiana residents had filed compensation claims after the Gulf of Mexico oil spill. The personal details include names, addresses, phone numbers and social security numbers.
BP spokesman Curtis Thomas said it had sent letters to the 13,000 people whose data was stored on the computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored.
He also confirmed that the laptop was password-protected, but the information was not encrypted and included a spreadsheet of claimants' names, social security numbers, phone numbers and addresses. He also said that there was no evidence that claimants' personal information had been misused.
The employee lost the laptop on 1st March during ‘routine business travel', but Thomas did not elaborate on the circumstances. “We're committed to the people of the Gulf Coast states affected by the Deepwater Horizon accident and spill, and we deeply regret that this occurred,” he said.
Darren Shimkus, senior vice president at Credant, said: “This is a real wakeup call to corporations and governments everywhere. Regardless of the official security policy, sensitive corporate data will find its way everywhere, including corporate endpoints like laptops and thumb drives.
“It is only going to get harder for IT. As consumerisation brings more smartphones, iPads and other devices into the corporate environment, data risk multiplies and becomes even harder to control. Companies and governments need to make data security a priority and get ahead of this now.”
Chris McIntosh, CEO of Stonewood, said: “This loss reminds us in the UK that it's not just the public sector that can come under fire for mishandling data: even the largest of businesses can show inexcusable carelessness with individuals' sensitive information. Leaving sensitive data on individuals such as this unencrypted is bad enough.
“When you factor in the legal importance of the data and the scale of the event which made BP record it in the first place, it becomes inexplicable. Certainly, if this had happened in the UK we'd hope that the Information Commissioner would be bringing its full weight down upon BP. As it is, this incident teaches two lessons: data will always be vulnerable to accidental loss or unexpected theft and as a result it must be encrypted at all; and second that in the event of a loss, any response must be swift and decisive.
“BP may claim that it has been investigating the incident during victims' month-long wait for information, but this seems similar to the actions that resulted in Zurich Insurance receiving a record fine from the FSA last year: too little, much too late.”
Dave Everitt, general manager of EMEA at Absolute Software, said: “A lost laptop with the personal data of thousands of Louisiana residents is the last thing BP needs right now. However accidents happen and as long as big corporations employ humans rather than robots, they should be prepared for such events.
“What's shocking in this case is not only that it is such inflammatory information that has been lost, it is that BP seems to have taken little more than the bare minimum to guard against what is essentially a very likely scenario.
Many CIOs and business managers do not even realise that the broadest range of laptops from major companies such as Dell, Lenovo or HP, already come equipped embedded with technology that enables them to be tracked and located. They can even remotely wipe any missing equipment which hosts potentially sensitive data.
“In this case, the solution was already there, sitting in the hardware, simply waiting for BP to activate it. The low cost involved in enabling such a solution would surely be insignificant compared to what it will cost now to counteract yet more negative PR for this beleaguered company.”