Four backup storage cartridges containing personal information on about 800,000 adults and children in California's child support system were lost during shipment, state officials say.
See Also: Rethinking Endpoint Security
The backup cartridges contained such information as names, addresses, Social Security numbers, drivers' license or identification numbers, names of health insurance providers, health insurance plan membership identification numbers and employer information, officials say in describing the breach.
"Because the devices are in a specialized format, we have no reason to believe, at this time, that the data have been accessed or utilized in any way," says Kathleen Hrepich, interim director of the California Department of Child Support Services, in a statement. The cartridges were not encrypted, but they use a format requiring specialized hardware and software to access, says Christine Lally, a spokeswoman for California Technology Agency.
The department is contacting all those whose information was lost and recommending they place a fraud alert on their credit cards. The department also has established a toll-free number for information: 866-904-7674. It has alerted the three major credit reporting agencies as well as the California attorney general's office and the state Office of Privacy Protection. The department's statement on the incident, along with a frequently asked questions website posting, do not mention an offer of free credit protection to those affected. Lally says that's because officials believe the storage devices have not been acessed or utilized because of their format.
Lost in Transit
The department learned March 12 that the cartridges apparently were lost during their air shipment by FedEx from an IBM facility in Colorado to California. The department had sent four cartridges to an IBM facility in Boulder so IBM could test whether it could remotely run the state's child support system in the event of a disaster, such as an earthquake, Lally confirms.
Iron Mountain, a contractor the department uses for secure transportation of sensitive materials, hired FedEx as a subcontractor for flight transportation services, Lally says. "We believe that the containers were not properly secured at the IBM facility, allowing the storage devices to be lost in transit," she adds.
In response to Lally's comment, IBM spokesman Jeff Tieszen says: "The investigation into the incident continues; it's premature to draw conclusions at this time. The security and protection of data is of utmost importance to IBM, and we continue to work with all parties to find the unaccounted for devices."
The California Office of Technology services is working with its contractors to strengthen their information security practices, according to the frequently-asked-questions posting. The office "is in the process of establishing new systems and processes that will eliminate the need for shipping storage devices in the future."
This is the second major breach incident since 2011 involving IBM. Last March, Health Net announced that IBM informed the insurer that nine server drives were missing from an IBM data center. The drives included personal information on 1.9 million individuals.