A data tape containing information on 650,000 retail customers went missing from the Iron Mountain data storage company's vaults in October, the company reports. The missing tape contains personal information from customers of J.C. Penney and 100 other retailers, including 150,000 Social Security numbers.
The loss was discovered when GE Money, the financial services branch of General Electric and payment processor for many retail operations, requested the tape from Iron Mountain.
According to Iron Mountain, the tape was never checked out but could not be found. Representatives of the company claim that there was no evidence the information had been used for identity theft, and that accessing the information on the tape would be difficult without "specialized knowledge."
An accidental loss of a back-up tape is not an identity theft issue or a crime; it is distinctly different from previous cases of malicious hacking or PC theft," the company said. "Since we notified GE Money of the missing back-up tape in October, there has been no evidence to suggest that any person's identity has been compromised as a result. And we don't know of any incident, ever, when a lost back-up tape has resulted in identity theft."
Iron Mountain boasts on its Web site that it is "the leader in records and document management, so we know how to protect personal information. We use the strictest safeguards, including encryption, access controls, firewalls, intrusion detection, virus protection, and secure data destruction. We also have redundant systems, to ensure fast recovery in the event of a disaster."
"You can absolutely depend on Iron Mountain to secure your backup data and ensure quick recovery of your vital information in the event of a loss," the company advertises.
GE Money has offered to pay for a year's worth of credit monitoring for affected customers.
Since the discovery of the tape and investigation of the incident, the company has sent letters to customers informing them "We have no reason to believe that anyone has accessed or misused your information. The pieces of information on the tape would not be enough to open new accounts in your name, and we have implemented internal monitoring to protect your account number from misuse due to this incident."
Covering the tracks
Exact links between data breaches and identity theft can be difficult to trace, due to many factors, such as the amount of lost or stolen records, what kind of information was lost, and "synthetic identity theft."
Synthetic identity theft involves taking pieces of different people's personal information and combining them into a new identity, making its misuse harder to distinguish as fraudulent.
A 2007 report by the Government Accountability Office (GAO) found that law enforcement agencies often could not track cases of identity theft back to data breaches, as some instances of fraud did not occur until a year or more after the breach.
And the amount of exposed personal information continues to grow apace. According to the watchdog Identity Theft Resource Center's 2007 data breach report, there were 448 data breaches last year, exposing over 127 million personal information records to potential identity theft or fraud.