Tele Atlas reports a backup tape with employee data is lost in India
Technorati Tag: Security Breach
Date Reported:
7/17/08
Organization:
Tele Atlas NV
Contractor/Consultant/Branch:
Tele Atlas North America ("TANA")
Willis North America
Victims:
Employees and dependents
Number Affected:
Unknown*
*There are 496 New Hampshire residents
Types of Data:
"names and social security numbers"
Breach Description:
"on Monday, June 30, 2008, Tele Atlas North America ("TANA") learned that Willis North America ("Willis"), TANA's third party benefits administrator, inadvertently misplaced backup tapes while in transit to a storage facility in India on June 9, 2008. The backup tapes contained computerized data including the names and social security numbers of TANA employees and their dependents who have insurance provided through TANA."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to notify you that on Monday, June 30, 2008, Tele Atlas North America ("TANA") learned that Willis North America ("Willis"), TANA's third part benefits administrator, inadvertently misplaced backup tapes while in transit to a storage facility in India on June 9, 2008.
[Evan] In India? This is the first breach report that I recall which concerns compromised personal information belonging to American employees, lost in a foreign country by a third-party company.
The backup tapes contained computerized data including the names and social security numbers of TANA employees and their dependents who have insurance provided through TANA.
[Evan] There is no mention of encryption in the breach notification, so we will assume that it was not used. It seems like a very poor business decision to not encrypt senstive confidential information at rest, especially when it is stored on mobile devices such as flash drives, backup tapes, compact disks, and laptops. It appears that both TANA and Willis failed in managing appropriate risk, unless someone made the decision that this practice was acceptable.
TANA believes that 496 New Hampshire residents have been affected.
[Evan] I presume that this backup tape included personal information belonging to many more TANA employees and dependents. TANA employed an average of 1,699 employees in 2007 (source: TANA Key Figures page)
Willis has no reason to believe that the tapes were specifically targeted, or that any information has been accessed or used improperly.
Willis has informed TANA that this was an isolated event, and that they believe that the likelihood of any criminal misuse of the data, while difficulty to predict with absolute certainly [sic], is minimal.
[Evan] Based on the seemingly poor risk management decision to not encrypt this information, I am inclined to question this risk assessment statement.
While the loss did not involve a crime, the individual who misplaced the taped did make a report to a police station in Mumbai, India.
[Evan] I wonder how long it will be before these types of losses will become a crime. Whether it should or not is open for much debate.
We apologize that this has occurred, and are aware how important your personal information is to you.
We take seriously our commitment to safeguarding confidential information entrusted to us by our employees, such as your personal information.
[Evan] A demonstration of this "commitment" would be better protection.
Rest assured that we are carefully reviewing this matter and taking measures to ensure that it does not happen again.
Willis is in the process of making available identity theft protection for all affected TANA employees which includes identity theft protection through IDFreeze from TrustedID.
If you have any questions or need additional information, or if you would like a copy of the lost items report, please contact Jean Mackay, Benefit Manager, at 1-, ext. 1774
Commentary:
This breach is troubling, as are most that include such seeming "no-brainer" types of risk management decisions. Two respectable companies, both responsible for the protection of confidential information, and an unencrypted backup tape containing confidential information lost in India. How does this add up? To add insult to injury, isn't Willis in the risk management business?
ALL of my comments are moot if the tape actually was encrypted.
Past Breaches:
Unknown
Date Reported:7/17/08
Organization:
Tele Atlas NV
Contractor/Consultant/Branch:
Tele Atlas North America ("TANA")
Willis North America
Victims:
Employees and dependents
Number Affected:
Unknown*
*There are 496 New Hampshire residents
Types of Data:
"names and social security numbers"
Breach Description:
"on Monday, June 30, 2008, Tele Atlas North America ("TANA") learned that Willis North America ("Willis"), TANA's third party benefits administrator, inadvertently misplaced backup tapes while in transit to a storage facility in India on June 9, 2008. The backup tapes contained computerized data including the names and social security numbers of TANA employees and their dependents who have insurance provided through TANA."
Reference URL:
New Hampshire State Attorney General breach notification
Report Credit:
The New Hampshire State Attorney General
Response:
From the online source cited above:
I am writing to notify you that on Monday, June 30, 2008, Tele Atlas North America ("TANA") learned that Willis North America ("Willis"), TANA's third part benefits administrator, inadvertently misplaced backup tapes while in transit to a storage facility in India on June 9, 2008.
[Evan] In India? This is the first breach report that I recall which concerns compromised personal information belonging to American employees, lost in a foreign country by a third-party company.
The backup tapes contained computerized data including the names and social security numbers of TANA employees and their dependents who have insurance provided through TANA.
[Evan] There is no mention of encryption in the breach notification, so we will assume that it was not used. It seems like a very poor business decision to not encrypt senstive confidential information at rest, especially when it is stored on mobile devices such as flash drives, backup tapes, compact disks, and laptops. It appears that both TANA and Willis failed in managing appropriate risk, unless someone made the decision that this practice was acceptable.
TANA believes that 496 New Hampshire residents have been affected.
[Evan] I presume that this backup tape included personal information belonging to many more TANA employees and dependents. TANA employed an average of 1,699 employees in 2007 (source: TANA Key Figures page)
Willis has no reason to believe that the tapes were specifically targeted, or that any information has been accessed or used improperly.
Willis has informed TANA that this was an isolated event, and that they believe that the likelihood of any criminal misuse of the data, while difficulty to predict with absolute certainly [sic], is minimal.
[Evan] Based on the seemingly poor risk management decision to not encrypt this information, I am inclined to question this risk assessment statement.
While the loss did not involve a crime, the individual who misplaced the taped did make a report to a police station in Mumbai, India.
[Evan] I wonder how long it will be before these types of losses will become a crime. Whether it should or not is open for much debate.
We apologize that this has occurred, and are aware how important your personal information is to you.
We take seriously our commitment to safeguarding confidential information entrusted to us by our employees, such as your personal information.
[Evan] A demonstration of this "commitment" would be better protection.
Rest assured that we are carefully reviewing this matter and taking measures to ensure that it does not happen again.
Willis is in the process of making available identity theft protection for all affected TANA employees which includes identity theft protection through IDFreeze from TrustedID.
If you have any questions or need additional information, or if you would like a copy of the lost items report, please contact Jean Mackay, Benefit Manager, at 1-, ext. 1774
Commentary:
This breach is troubling, as are most that include such seeming "no-brainer" types of risk management decisions. Two respectable companies, both responsible for the protection of confidential information, and an unencrypted backup tape containing confidential information lost in India. How does this add up? To add insult to injury, isn't Willis in the risk management business?
ALL of my comments are moot if the tape actually was encrypted.
Past Breaches:
Unknown
Posted by Evan Francen at 7/31/2008 4:44 PM 
Categories: Lost Tape, Tele Atlas NV, Willis North America
Categories: Lost Tape, Tele Atlas NV, Willis North America
Posts Atom 1.0
i received a letter dated July 24, 2008 that states my personal information was lost on June 9, 2008 whil in transit to storage. i have no connection that i'm aware of to TANA, so i'm confused. is Willis managing other employee benefits that have been compromised? Or is this a scam?
Reply to this
Without seeing the letter that you received, it is difficult for me to comment. If you would like me to take a look, feel free to send a scanned copy of the letter to .
According to the New Hampshire State Attorney General breach notification:
"If you have any questions or need additional information, or if you would like a copy of the lost items report, please contact Jean Mackay, Benefit Manager, at 1-, ext. 1774"
If Jean Mackay cannot answer your question, perhaps he/she can refer you to someone who can. Another possible contact is the Willis North America Client Hotline.
Reply to this
I also received this letter directly from Willis, dated July 24, 2008. At first I thought, who is Willis? I then thought perhaps this was a scam, I do not have any dealings with TANA.
One of the replies stated "If you notice they are not trying to sell you anything". I'm not so sure about that ... the 4th paragraph in the letter states: In addition to enrolling for the complimentary 24-month credit monitoring and identity theft protection service from TrustedID, I hope that you will take advantage of several other resources that are available to help you protect your personal information.
Hmmm, is that paragraph saying that once you go to TrustedID web site that they will be trying to sell you other services as well?
Reply to this
Yes, Barbara there are others. You do not need to send this Evan Francen anything because I recognized the summary of what you wrote from the letters(3) we received yesterday. Our letters came directly from Willis, and were confirmed in email to us from our mother company. Our employee services are maintained by The Benefits Headquarters. If you notice they are not trying to sell you anything, but as the above blog implies, these people don't seem to take this that seriously if our info is in India. Its difficult to find anything on the Internet.
Reply to this
I also have receive this letter today, but mine read they are writting on behalf of Willis, which provides employee benefits service for your employer or former employer. It do not say anthing about TANA.
Reply to this
I, and other co-workers located in several states also got the letter directly from Willis. I find this troubling too, that I am finding this information in a mailing from the 3rd party vendor, and not getting notified by my own company. I also find it troubling that the free credit report is only available to those who have not already accessed their free credit report for the year. You are only allowed one free report per 12 months.
Reply to this
I received this letter today[8/6/08] and called Willis and they told me what company they provide risk management for and it was the company I worked for. I asked for the police report and Willis sent it to me. It's in Hindi but translated. Here is what it says.
Police Station Daily Dt. 20/6/08
Time: 9.05 a.m.
Subject: Regarding Bag which was forgotten
Report: Traveller named Timothy Coutinho , Plant No.6, Trinity Computer Processing (India) Pvt. Ltd., L.B.S. Marg, Vikhroli (West) , was travelling on 9/6/08 from Ghatkopar to CST between 11.29 a.m. to 12.25 p.m. in IInd Class compartment. While travelling he forgot the bag containing 10 Tapes of the Co. on the rack and made a complaint in the Missing Complaint Register but as of date we have not received any information or nobody has handed over the bag. Application for certificate was made on 19th June 08 by Co’s Sr. Officer Ms.Shantadurga Gulwadi hence we have issued this certificate today about the missing bag by Asst. Sub Inspector Bharmal which to be noted.
I called TrustedID and they said that Willis has provided us 2 years complimentary protection. After two years, TrustedID will email/call us to see if we want to continue so at least this is not one of those intrusive 'get something free, then we bill you after trial period' deals.
Here's my main gripe. In the letter from Willis, it states, "You should also remain vigilant over the next two years by attentively monitoring your credit reports and account statements for indications of fraud and/or theft, including identity theft." Uhm, I'm calling my lawyer because this is absolute CRAP. Willis should provide us LIFETIME identity theft protection. Who's to say after two years, whoever got our tapes decides to act upon a crime??? Anyone that wants to join me to fight for our rights against Willis, feel free to email me at .
WILLIS, OWN UP TO YOUR MISTAKE AND GIVE US FREE LIFETIME PROTECTION.
Reply to this
I'm also in Texas, and received this letter using current or prior employer rather than singling out an entity I'm familiar with.
The other strange thing about the letter I received, it was addressed in a way unusually different from how I normally list with my employer and benefits correspondence.
I have put out the feelers with my current and past employer's to see if any of them also received such a letter.
Until I get confirmation from my employer's, I'm thinking this is a marketing or phishing scam.
Exo
Reply to this
I found out that one of my employer's did use a Willis company for some of their benefits, and that I should be receiving a separate letter about the incident from them.
Exo
Reply to this
In reply to "PattyI"
While researching for this on the Internet, I also found that it seems to be common for backup tapes to be lost. GEMoney for JC Penney had some tapes lost earlier this year, and they had to provide some ID theft protection similar to what we have been offered. Our letters do not say anything about a cost for this protection. The IDTheft is around $15 a month for a family if you did buy it, so this isn't something freely given, it will cost Willis. Do you think the company protection is provided by India in any way? I don't see much need in Willis/The Benefits Headquarters for our company. They can't answer anything for me, that I can't find the answers for myself.
That same article said that GEMoney sent out the notices just like Willis sent, generic, no association with JC Penney known to recipients. Most people would just think it was junk mail and throw it away, not knowing it dealt with their JC Penney account information. Those tapes were not lost in India, but in the US. I could be wrong on some of what I repeated because I do not have those websites to take notes exactly.
Reply to this
I've received the same letter from Willis and even called their helpline listed in the letter. First of all, they are not a scam company. They are a brokerage firm that companies hire to find the best insurance for them as well as other benefits. Their website is www.willis.com and they are traded on the stock market. So, they are a reputable company. Secondly, after probing them about their seemingly inadequate offer of two-years of free identity theft protection, they did indicate that if I ever had any loss due to this specific incident, then they would review my case and I would probably be reimbursed for my loss. So, I get the impression that they are doing everything that they can possibly due. It's just a very unfortunate human error that caused this mess.
I was able to get one of them to admit that the files were not encryted. Of course, there is no excuse for this and they admitted as much. However, in this day and age, encryption isn;t anywhere near fool-proof either. Just a thought.
Reply to this
As I have confirmed with one of my prior Employers, I also concluded that this is not a phishing scam.
However I have a problem with a couple of your further statements.
In this day and age we do have well tested Encryption systems that we know that with our current understanding of the effort required to crack will require several thousand to several million CPU MIPS years mainly depending on the key lengths involved.
However this being a United Kingdom Parent company using outsourced Labor in India further complicates their use of encryption. England for one has strict limits on the level of encryption that may be used as well and a key escrow system that experts agree introduces it's own weaknesses. India may not allow any encryption at all, I know it was true in the recent past, I have not followed if this has been improved or not.
Either way, the data should have been encrypted. There are tape drives that will do this transparently once you configure your security keys.
Even modern hard drives can be configured to prevent access to the data they contain until a special command is sent to the drive containing a decryption key. There is no excuse.
If companies cannot take reasonable efforts to protect our data from accidental disclosure, then they should not have it.
I'm not exactly thrilled about giving my personal data to yet another company for protection.
Exo
Reply to this
If you read my post entirely, I mentioned that there was no excuse for them to not have encryption on these tapes. However, the fact remains... even encryption is not full-proof in this day and age.
Reply to this
I agree, although I don't think you read my reply completely either or I failed to express myself fully.
Even with well trusted algorithms, it is hard to get encryption correct. Simple mistakes in how the random number generators are seeded / initialized can open a vulnerability that will be hard to spot without extensive validation testing.
My point above was that the out-sourced labor and conflicting political restrictions on encryption use, may have had more to do with the lack of use than anything.
Exo
Reply to this
I understand. good point
Reply to this
OK, So the data is out of the barn.
Now.... Lets go give the same info to another "trusted cohort" so they can also misplace and misuse our data in the future.
Reply to this
Is there reasonable belief that a company should provide this loss information to its employees in a timely manner? My company HR was instructed by legal council to sit on the information and not notify the employees. My company HR did exactly that, from the VP on down. My company employees over 5000 people. Wouldn't that actually increase the liability of my company, rather that decrease the chances of employees filing suit? This information was lost nearly 2 months prior to notification by Willis in a form letter to my company employees. Even now, my company has not made an official notification to its employees.
Reply to this