Backup tape is stolen from Bristol-Myers Squibb
Technorati Tag: Security Breach
Date Reported:
7/17/08
Organization:
Bristol-Myers Squibb Co. ("BMS")
Contractor/Consultant/Branch:
Unknown
Victims:
Current and former employees and some dependants
Number Affected:
Unknown*
*Bristol-Myers Squibb had "about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.", Source: CNN Money
Types of Data:
"name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances bank account information"
Breach Description:
"On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage. Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees"
Reference URL:
Pharmalot (copy of notification letter)
Pharmalot
CNNMoney
Report Credit:
Ed Silverman, Pharmalot
Response:
From the online sources cited above:
The drugmaker sent letters over the past week saying a data tape containing reams of personal information was stolen several weeks ago
On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage.
[Evan] This statement prompted me to list the contractor as "unknown" instead of "none". I presume that the data tape was being transported by a third-party vendor when it was stolen. I am looking for more information on this.
Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees, such as name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information.
[Evan] Ugh, this looks like very sensitive HR and benefits data.
The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.
an untold number of current and former employees - and their dependents - could be affected
BMS has initiated an investigation of this incident.
To date, BMS has no reason to believe that any of your personal information has been inappropriately accessed from the data tape by an unauthorized party, or that any identity theft, fraud or misuse of your personal information has occurred.
[Evan] I agree with most of this statement except for the "misuse" part. There may be no evidence of misuse post stolen tape, but there may be an argument for misuse by BMS themselves. BMS is the data custodian in this scenario, not the data owner. If a data custodian does not care for the owner's information in a manner that is expected or communicated, does it constitute misuse?
In addition, there is no evidence that the data tape or the information contained on it was the target of the theft.
[Evan] I am interested in knowing more about who was transporting the tape and whether or not other items were taken.
As a precaution, to help you detect any possible misuse of your data, BMS has arranged for you to enroll in credit monitoring for one full year, at no cost to you.
[Evan] There is that "misuse" mention again. One year of free credit monitoring does nothing to protect a victim against fraud that occurs after one year, supposing the victim does not renew at his/her own expense. I wonder how many people renew on average.
If you have any questions, you may call the dedicated Privacy Help Line at 1-. Our representatives will be available to assist you Monday through Friday, between 8 a.m. and 5 p.m. ET.
the drugmaker is issuing this statement: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."
Protecting the privacy and security of your information is extremely important to us.
In this regard, BMS wishes to reiterate that it does not have any evidence indicating that your personal information has been misused.
[Evan] Another "misuse" mention.
the company is taking appropriate remedial steps, including enhancing security protocols regarding the handling of personal information and our back-up data tapes.
[Evan] Like what? Encryption maybe?
On behalf of BMS, I apologize for any inconvenience or concern that this matter may cause for you.
Commentary:
I couldn't find any mention about encryption or whether or not police were called. You would think that a large, well-repected company like Bristol-Myers Squibb encrypts confidential data on tape, right?
Past Breaches:
Unknown
Date Reported:7/17/08
Organization:
Bristol-Myers Squibb Co. ("BMS")
Contractor/Consultant/Branch:
Unknown
Victims:
Current and former employees and some dependants
Number Affected:
Unknown*
*Bristol-Myers Squibb had "about 42,000 employees as of Dec. 31, the last date for which work force figures were available in regulatory filings.", Source: CNN Money
Types of Data:
"name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances bank account information"
Breach Description:
"On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage. Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees"
Reference URL:
Pharmalot (copy of notification letter)
Pharmalot
CNNMoney
Report Credit:
Ed Silverman, Pharmalot
Response:
From the online sources cited above:
The drugmaker sent letters over the past week saying a data tape containing reams of personal information was stolen several weeks ago
On June 4, 2008, Bristol-Myers Squibb Company ("BMS") learned that a back-up data tape containing BMS-related data was stolen while it was being transported for storage.
[Evan] This statement prompted me to list the contractor as "unknown" instead of "none". I presume that the data tape was being transported by a third-party vendor when it was stolen. I am looking for more information on this.
Through subsequent forensic work, it was determined that the data tape included personal information of current and former BMS employees, such as name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information.
[Evan] Ugh, this looks like very sensitive HR and benefits data.
The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.
an untold number of current and former employees - and their dependents - could be affected
BMS has initiated an investigation of this incident.
To date, BMS has no reason to believe that any of your personal information has been inappropriately accessed from the data tape by an unauthorized party, or that any identity theft, fraud or misuse of your personal information has occurred.
[Evan] I agree with most of this statement except for the "misuse" part. There may be no evidence of misuse post stolen tape, but there may be an argument for misuse by BMS themselves. BMS is the data custodian in this scenario, not the data owner. If a data custodian does not care for the owner's information in a manner that is expected or communicated, does it constitute misuse?
In addition, there is no evidence that the data tape or the information contained on it was the target of the theft.
[Evan] I am interested in knowing more about who was transporting the tape and whether or not other items were taken.
As a precaution, to help you detect any possible misuse of your data, BMS has arranged for you to enroll in credit monitoring for one full year, at no cost to you.
[Evan] There is that "misuse" mention again. One year of free credit monitoring does nothing to protect a victim against fraud that occurs after one year, supposing the victim does not renew at his/her own expense. I wonder how many people renew on average.
If you have any questions, you may call the dedicated Privacy Help Line at 1-. Our representatives will be available to assist you Monday through Friday, between 8 a.m. and 5 p.m. ET.
the drugmaker is issuing this statement: "Bristol-Myers Squibb regrets that this incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the stolen data tape. We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."
Protecting the privacy and security of your information is extremely important to us.
In this regard, BMS wishes to reiterate that it does not have any evidence indicating that your personal information has been misused.
[Evan] Another "misuse" mention.
the company is taking appropriate remedial steps, including enhancing security protocols regarding the handling of personal information and our back-up data tapes.
[Evan] Like what? Encryption maybe?
On behalf of BMS, I apologize for any inconvenience or concern that this matter may cause for you.
Commentary:
I couldn't find any mention about encryption or whether or not police were called. You would think that a large, well-repected company like Bristol-Myers Squibb encrypts confidential data on tape, right?
Past Breaches:
Unknown
Posts Atom 1.0
Seems that CNN removed the news article.
Reply to this
Attorney General Richard Blumenthal of Connecticut wins stronger protection for Bristol-Myers databreach victims. Press releases below:
http://www.ct.gov/ag/cwp/view.asp?Q=424752&A=2795
http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=424508
Reply to this