CPA group says hard drive with data on 330,000 members missing
'We are looking at it as a missing shipment; that doesn't mean it's lost,' says a FedEx spokesman
Computerworld - Adding to the lengthening list of organizations reporting data compromises, the American Institute of Certified Public Accountants (AICPA) today confirmed that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February.
The hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies, said Joel Allegretti, a spokesman for the New York-based organization. It was on its way back to the AICPA via FedEx but failed to arrive. Allegretti did not say when exactly the drive went missing except to note that the package containing it was due back at the AICPA "toward the end of February."
It took the organization until March 31 to "re-create the drive" and determine what data it contained. The AICPA began notifying affected members of the potential compromise of their personal data on May 8 and has since completed the task, Allegretti said.
Jim McClusky, a spokesman for FedEx Corp., said it is unclear what exactly happened to the drive. But he stressed that it is a mistake to characterize the package as being lost.
"We did handle the shipment, and we are working closely and cooperatively with our customer to determine where the package might be," he said. "It is still being investigated. At this point, we are looking at it as a missing shipment; that doesn't mean it's lost."
Based on investigations so far, it does not appear that information on the hard drive has been misused, Allegretti said.
Following the loss, the AICPA is offering affected members a year's worth of free credit-monitoring services. The incident has also prompted the group to begin deleting all Social Security numbers from its member database.
While a note posted on the organization's Web site says the collection of Social Security numbers has been a long-standing procedure, it added that "we will cease collecting and maintaining them, except in limited circumstances. And even for those, we are accelerating our efforts to develop other means of uniquely identifying our members."
News of the AICPA breach comes amid a flurry of similar disclosures in recent days. By far, the biggest was the May 22 disclosure by the U.S. Department of Veterans Affairs that it had lost personal data on more than 26.5 million veterans discharged since 1975. Since then, the agency has admitted that the breach may have exposed personal information on about 2.2 million active-duty National Guard and Reserve troops as well (see "Personal info on 2.2M troops part of VA data theft").
Since then, there have been similar disclosures elsewhere, including Texas Guaranteed Student Loan Corp., a Round Rock, Texas-based nonprofit organization. TG said that an outside contractor lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers.
On May 26, Sacred Heart University in Fairfield, Conn., announced that one of its computers had been hacked into, resulting in the potential compromise of data belonging to 135,000 alumni and would-be students. And earlier this month, a password-protected laptop containing credit card information on more than a quarter-million Hotels.com LP customers was stolen from the car of an auditor at Ernst & Young LLP.
Read more about Privacy in Computerworld's Privacy Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Privacy White Papers | Webcasts