Tuesday, June 12, 2007

I Get Letters

I received a letter yesterday from IBM marked "Urgent Message From IBM. Please Open Immediately." In pertinent part, it read:
We are writing because of an incident that has resulted in the loss of information relating to your IBM employment, and we wanted to inform you about what happened and explain steps IBM is taking to help protect you.

Recently, data tapes were lost while being transported by a vendor. Those tapes contained primarily archival IBM employment-related information, including Social Security numbers. After a thorough investigation of the incident, we have concluded that the tape loss was inadvertent and not associated with theft or any other unlawful activity. We have no indication that the personal information on the missing tapes, which are not the type that can be read by personal computer, has been accessed or has been used for any improper purpose. Nevertheless, IBM takes any loss of personal data very seriously and has taken steps to protect you and your data.
Ignore the irony of IBM claiming to take steps to protect me and my data when they contracted with a vendor that allowed tapes containing my Social Security number to fall off the back of a truck in Westchester County, New York (which is, in fact, what happened) and then waits almost four months to tell me about it. Ask not about why it is that companies only seem to take protecting sensitive personal data seriously after it has already been lost. Don't complain about how ridiculously inadequate IBM's response to this incident is (a year of ID theft monitoring from a company named Kroll, but only for those who choose to sign up). Instead, consider these two questions:
  1. How many employees and former employees did IBM loose data for? IBM won't say "[i]n order not to impede any continuing investigative efforts." Of course, they'll have to disclose that once they get sued, and I'm sure that they will.
  2. How in the heck did they find me? My employment with IBM was a long time ago in a state far, far away. I haven't exactly kept in touch. How did IBM get my current address?

1 comment:

BigBad George said...

How'd IBM find you? They hired Kroll as both an investigator to search public records and to provide a watered-down credit monitoring service. I also received the same letter from IBM... 2+ months after the data breach (plenty of time for ID thieves to do damage). Like you I have problems with the way IBM is handling this. I blog about IBM's mis-steps, my experience dealing with the mess IBM has created, and issues when companies expose the personal data of former employees:

I've Been Mugged

George