Skip the navigation

Stolen tape puts Bristol-Myers employee data at risk

Thieves seize tape containing personal data during stopover by third-party vendor

By Brian Fonseca
July 22, 2008 12:00 PM ET

Computerworld - Bristol-Myers Squibb Co. officials last week confirmed that a nonencrypted backup tape containing the personal data of current and former employees and their dependents was stolen on June 4 from a delivery truck carrying the device.

Bristol-Myers spokeswoman Laura Hortas said the New York-based pharmaceutical company began notifying current, former and retired employees by mail on July 12 about the missing backup tape. Bristol-Myers would not disclose how many people are affected by the breach.

However, according to a security breach notification letter (download PDF) sent by the company to the New Hampshire Attorney General's office, the personal data of 458 residents of that state was stored on the stolen tape.

Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.

She did say that thieves broke into the delivery truck during a stopover at an undisclosed facility. Bristol-Myers is currently in the process of ensuring that all data tapes maintained by its third-party storage vendor are encrypted going forward.

"Bristol-Myers Squibb regrets that the incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the data tape," said Hortas, reading from a prepared company statement. "We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol-Myers Squibb."

The stolen computer tape included the names, addresses, birthdays, Social Security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has Social Security and address information about dependents of former and current employees.

Hortas said that data on the missing backup tape is protected by a 12-character password and a jumbled text format that can only be read through "pricey" specialized software. "The tape is not something your average person could just pick up and know how to access," she added.

Bristol-Myers said it has no reason to believe that any data on the tape has been inappropriately accessed or that identity fraud has been committed. The company is offering one year of free credit monitoring and identity theft insurance to all individuals and dependents affected by the data breach.

Read more about Applications in Computerworld's Applications Topic Center.



Our Commenting Policies