George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.

Michael Singer, Contributor

August 6, 2007

4 Min Read

George is an ID theft victim whose personal data was potentially exposed after an incident involving IBM. While IBM has graciously extended its hand to help fix the problem, George hasn't been completely happy with how things are turning out. His story may have lessons for the rest of us.Back in May, we reported a contractor working for IBM lost at least one mainframe tape containing identifying information on current and former IBM employees. The contractor was in Westchester County, N.Y, when at the intersection of Interstates 287 and 684, he realizes that he's missing some data tapes that were being delivered to a long-term storage facility.

Police search the area. Nothing turns up. IBM issues an apology and offers a year's worth of free credit monitoring. That should be the end of the story, right?

At the time I was very cynical of IBM and any other company that tried to fix a mistake of this magnitude with a reactive service like credit monitoring. It seems like an unbalanced compensation. And it appears as though I'm not alone.

Enter George -- who is not revealing his last name. George received notification from IBM in May about the data breach, which was a surprise for George because he said he never worked for IBM. He looked into the offer but figured that it may not be worth it to him since he already pays for credit monitoring.

George e-mailed me to say he recently had a 75-minute detailed conversation with IBM about their data breach. "IBM insists on calling it "lost" data tapes," he said. Of course, George said he had several questions about the investigation status and IBM's records retention policy. He had heard very little about whether someone found the tapes and what authorities were doing about it.

But George's bigger beef is that "there are problems with the way IBM is handling their data breach."

As a result, George ends up starting a blog entitled "I've Been Mugged... One person's experience with identity theft and corporate responsibility". The blog covers his experiences with dealing with the IBM mess and issues related to data breaches of employee records. To date, he has two months of postings with a blog roll chocked with resources and information on pending legislation.

You can read along with George's exploits, but suffice to say, IBM had 16-year old information on George. And that IBM hired the same consulting company (Kroll) both for IBM's corporate investigation needs and as a credit-monitoring service for former IBM employees, which George thought was a potential conflict of interest.

As a follow up, I asked the company how exactly IBM verified that George was the correct person in their records, especially if he never worked for the company?

I also asked if IBM still does business with the vendor that "lost" the data tapes? And finally, "What procedures has IBM put in place so that a data tape 'loss' during transit doesn't happen again?"

IBM spokesman Fred McNeese was generous enough to answer that George previously worked for Lotus Development Corp. prior to IBM purchasing it. IBM's human resource records would have come over to IBM as part of the purchase.

Fred also said that "Yes, IBM is still doing business with the vendor involved in the incident," but declined to go further.

"Steps have been taken to prevent recurrence of this event," Fred said. "I am not going into detail concerning those steps since it is IBM's practice not to discuss the specifics of any aspect of its security operations."

Fair enough. Security is precious to a massive company like IBM. But what have we learned by George's experience?

First off, even if you no longer work for a company, it is very likely that your data will. And even if you've long forgotten the secretary's name or the phone number for your old supervisor, your permanent record could wind up in the hands of another corporation and it may be months before you hear about your information being compromised. Does this mean that we all need to be diligent on how even our former companies are faring? That could be problematic in an environment where workers change jobs frequently and consolidation of companies has become commonplace.

Secondly, hiring the same consulting company both for IBM's corporate investigation needs and as a credit-monitoring service is not illegal or unethical, but it may raise some eyebrows with the people you are trying to help.

Finally, credit monitoring is strongly recommended. IBM and George agree on that. However, paying for a credit monitoring service isn't for everyone. George was one of those types who invested in a monitoring service for himself. Some services cost as much as $200 per year.

Hopefully, IBM and George find common ground on other types of protection and compensation. We'll keep you updated on how this story resolves.

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights