The computer disk containing data on former and current Alcatel-Lucent
employees and their dependants was supposed to be delivered from one vendor that handles employee benefit plans to another vendor that does actuarial work for the Murray Hill, N.J., company.
It never made it.
Now, Alcatel-Lucent is working with state, local and federal authorities in order to track down how and why the disk containing social security information on company retirees and their dependants was lost or stolen.
The company said the information contained on the computer disk included names, addresses, Social Security numbers, date of birth and salary data of Alcatel-Lucent U.S.- paid employees who worked for Lucent (prior to its merger with French networking company Alcatel) and their dependents, and Lucent retirees and their dependents.
Although Alcatel-Lucent would not confirm the number of employees impacted by the data loss, it is widely estimated that some 200,000 records on employees and their dependants were lost with the disk.
With the news, which Alcatel-Lucent divulged to its employees yesterday, the networking giant joins an ever-growing list of companies and federal agencies whose data on employees has been lost, stolen, or compromised, putting those employees at risk for identity theft or fraud.
Just this week, IBM
&Nbsp;said a third-party vendor had lost data tapes that contain the personal information of former employees. The lost IBM data included dates of birth, Social Security numbers, addresses, lengths of employment and other private information. And, similar to the IBM data loss, the data on the Alcatel-Lucent disk was not encrypted.
However, Alcatel-Lucent said the disk did not contain credit card numbers, bank account numbers or password information.
The disk was supposed to be delivered by Hewitt Associates, which helps manage Alcatel-Lucent employee health and benefit plans, to AON, which provides actuarial services. The courier was UPS. It said it was informed on May 7th by one of the vendors that a computer disk containing personal information could not be located.
A spokesman for Hewitt was not immediately available for comment and internetnews.com was not able to reach the other companies by press time.
In the meantime, Alcatel-Lucent spokesman Peter Benedict said the company has asked all vendors to immediately stop shipping personal employee information via courier service. “One of the issues we’re looking at is why the information wasn’t encrypted or password protected,” he said.
New Jersey is a state with a data breach notification law on its books.
The company said it appears that the disk was either lost or stolen between April 5 and May 3. “Although we do not have information that any of the personal information has been misused, as a precaution the company has asked the U.S. Secret Service to investigate and has reported the incident to state and local law enforcement officials. The company also has launched an internal investigation and is working closely with law enforcement officials.”
In a statement, Frank D’Amelio, chief administrative officer for Alcatel-Lucent, said the company recognizes “that we have a responsibility to carefully protect this type of information and deeply regret this loss. We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them
minimize any potential risk this incident could create for them.”
After sending e-mails to its employees about it Thursday, Alcatel set up a Web site, internally and externally, where employees, retirees and dependents can get more information, including suggestions on actions they can take to protect themselves against identity fraud. Letters to all the impacted employees are also going out.
In addition, Alcatel-Lucent said it is arranging to provide the individuals at risk with identity theft protection and credit monitoring for one year free of charge.
The case is only the latest in a string of notifications of data on employees going missing or stolen that has swarmed the industry in recent years. Retailing giant TJX Companies
had to admit in March that that as many as 47.5 million customer records were stolen as a result of database intrusions going back to 2003, ranking it as the largest known data breach of its kind.
In 2005, CardSystems reported that hackers had gained access to some 40 million customer records. The Veterans Administration (VA) also had to admit last year that about 26.5 million veterans were at risk of identity theft after a laptop was stolen from a VA employee.