Irreverence

posted on 23 July 2008 09:02

A Bristol-Myers Squibb (BMS) unencrypted backup tape containing financial data for 458 New Hampshire residents has been stolen and exposed them to identity theft.

BMS, the world-wide pharmaceutical company, was using a courier company to transport a backup tape from a storage center to a data center; something that happens probably thousands of times a month across America. The theft at a van stop-over ocurred on June 4th. The tape was a backup tape and needed a 12-character password to access it plus the appropriate backup software.

There was a mass of other information on the tapes of course but the sensitive data was only that referring to the 458 people above. There's been no indication that any of these people whose data was on the tape - current and former BMS employees - have suffered adverse consequences. Nevertheless ... credit checks ... free insurance for one year ... monitoring - the usual and somewhat poor litany of a company's response.

BMS was supposed to look after this data and it didn't. Identity theft can take years to take place and the company's offer to affected people should respect that rather than offer a niggardly one year's free credit monitoring and identity theft insurance. The BMS website proclaims proudly 'Together we can prevail.' Yeah, right. What a nuisance. Go away. What's that? Act as a responsible corporate citizen for today and tomorrow? Who said that? We did? Really? Get outta here.

A company statement said: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."

Great word, 'paramount', and it means little. Regardless of this 'paramount' ideal the company and its custodian fouled up. Paramount is as paramount does, and BMS and its third-party were obviously not paramount enough.

When a baby-sitter in your home leaves the window open and a thief enters and steals property it is of little consequence for the careless baby sitter to say: "Maintaining the trust and confidence of the parents whose child I look after is paramount to me." In fact many would think it is an insulting thing to say.

In these identity theft-sensitized times this practise of unencrypted data transfer is becoming untenable. It will be necessary, and quite possibly become a legal requirement, that the transmission, either physically or electronically, of all data of value to identity theft thieves has to be encrypted. So yet another cost is loaded onto organisations and prices and taxes will go up to pay for it as there is a nation-wide upgrading of unencrypted backup tape drives to the encrypted versions.

IBM, Sun, HP, Quantum and Tandberg Data will benefit as their encrypted tape drives become more in demand. EMC's RSA and NetApp's Decru should benefit as well.

I think it would be good to hear of identity theft criminals being energetically hunted down and vigorously punished. That would be some compensation for all this added cost.

BMS is now ensuring that all tapes held by its third-party storage company are encrypted. The sounds you can hear? Stable doors closing and having new locks fitted.

^{[Chris Mellor.]}