Black marks for BP as a laptop goes missing with details of compensation claimants from last year’s oil spill
Oil giant BP has admitted to losing a laptop containing the names and private information of 13,000 people who filed compensation claims after the Gulf of Mexico oil spill last year.
The laptop, which contains a spreadsheet of the names, phone numbers, addresses, dates of birth and social security numbers of claimants, was password-protected but not encrypted.
The company says it immediately reported the incident to law enforcement and company security, and has sent letters to individuals whose data was stored on the computer, notifying them about the potential data security breach and offering to pay for their credit to be monitored.
“There is no evidence that the laptop or data was targeted or that anyone’s personal data has in fact been compromised or accessed in any way,” a BP spokesman said in a statement.
The laptop was lost by a BP employee on 1 March, while on a business trip. BP says it cannot release any information about where or when the laptop computer was lost, to prevent the investigation from being jeopardised.
“This loss reminds us in the UK that it’s not just the public sector that can come under fire for mishandling data: even the largest of businesses can show inexcusable carelessness with individuals’ sensitive information,” said Chris McIntosh, CEO of encryption expert Stonewood, commenting on the news.
“Leaving sensitive data on individuals such as this unencrypted is bad enough: when you factor in the legal importance of the data, and the scale of the event which made BP record it in the first place, it becomes inexplicable,” he added.
McIntosh compared the incident to the loss of an unencrypted data backup tape by Zurich Insurance, during an apparent routine transfer to a data storage centre in South Africa in 2008 . The tape contained the financial personal information of around 46,000 policy holders, but the loss was not reported until more than a year later.
Although BP has come clean quicker, McIntosh is not impressed: “BP may claim that it has been investigating the incident during the victims’ month-long wait for information, but this seems similar to the actions that resulted in Zurich Insurance receiving a record fine from the FSA last year: too little, much too late.”
ICO cracks down on data loss
In the UK, Zurich also came under fire from the Information Commissioner’s Office, which has been coming down hard on institutions in the UK that are responsible for data breaches in recent months. Reports suggest the ICO is currently preparing to issue its fifth data breach penalty, after it was given the power to fine companies that fall foul of the data breach laws up to £500,000 in January 2010.
“Data controllers should realise, if they let consumers down, a fine from the ICO will be the Mark of Cain,” said the information commissioner Christopher Graham.
Of the four fines issued so far, three have been to public sector organisations. Research by enterprise software provider Software AG last summer revealed that 50 percent of public sector organisations have no idea about secure data transfer.
Oil spill – the PR winners and losers
During the actual oil spill, BP had a big job of crisis management and public relations on its hands. It was revealed that the company bought keywords like “oil spill” on Google to increase visibility of its response site, and also had trouble handling a public suggestions box.