[ISN] Time Warner says data on 600,000 workers lost

InfoSec News isn at c4i.org
Wed May 4 02:37:40 EDT 2005


By Lucas Mearian 
MAY 02, 2005 

Time Warner Inc. reported today that a shipment of backup tapes with
personal information of about 600,000 current and former employees
went missing more than a month ago during a routine shipment to an
offsite storage site.

The tapes, part of a routine shipment being taken to the site by
off-site data storage company Iron Mountain Inc. didn't include data
about Time Warner customers, the company said in a statement.

The company told employees today that the data tapes went missing
March 22.

We are providing current and former employees with resources to
monitor their credit reports while our investigation continues. We are
working closely and aggressively with law enforcement and the outside
data storage firm to get to the bottom of this matter,. said Larry
Cockell, Time Warner.s chief security officer.

The U.S. Secret Service is working with both Time Warner and
Boston-based Iron Mountain to investigate the missing tapes.

The $42 billion media company said in a statement that there is no 
evidence that the data has have been illegally accessed or misused. 
The company said it has contacted major credit agencies -- Equifax, 
Experian and Trans Union -- about the data loss. 

After determining that publicizing the data loss wouldn't interfere 
with the investigation, Time Warner posted a statement about it on its 
Web site, as well as a letter to its employees about the incident and 
an FAQ. 

In the letter to employees, Time Warner said the missing tapes 
contained data such as names and Social Security numbers of current 
and former U.S.-based employees, their dependents and beneficiaries. 

Cockell said in the statement to employees that the company has made 
arrangements with Equifax to offer U.S. employees a free subscription 
to Equifax.s Credit Watch Gold credit monitoring service to help 
protect identity and credit information for 12 months. 

Time Warner's disclosure follows on the heels of other high-profile 
security breaches in the U.S. In March, a laptop containing data on 
100,000 graduate students, alumni and applicants from the University 
of California, Berkeley, was stolen from a campus office. 

Bart Lazar, a privacy and intellectual property lawyer and partner in 
the law firm of Seyfarth Shaw Llp. in Chicago, said that as data loss 
incidents pile up, thereÕs greater potential that firms found 
responsible will have to change their data security standards. Most of 
the pressure, he said, may come not from Congress but from insurance 
companies that will require more stringent safeguards before signing 
with a client. 

Part of the problem, Lazar said, is that companies don't have proper 
chain-of-custody requirements or encyption technology in place. 

"I've dealt with many of these companies, and if you ask them what 
happens with their data ... they can't chart it," he said. "Or the 
companies know what to do and they just haven't committed the 
resources to do it. Companies have to deploy their resources. I don't 
know what SANS [Institute] says the spending on security is, but it's 
not huge." 

Lazar said data loss incidents will also likely give rise to more 
companies turning to internal data protection schemes instead of using 
third-party service providers or external data processors. 

These big incidents [are] what leads to consciousness raising and may 
lead to reasonable security standards, he said. 

Reuters contributed to this report. 

More information about the ISN mailing list