Security snafu at Boston Globe exposes subscriber data

Bank, credit card information on more than 240,000 people was made public

An apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and the Worcester Telegram & Gazette.

The snafu occurred when the account information of Globe and T&G subscribers who pay for their home delivery subscriptions by credit card was disclosed on the back of more than 9,000 individual routing slips used to label bundles of the Worcester Sunday Telegram, the Globe said in a statement today. The bank routing information of some T&G subscribers who do not pay by credit card may have also been inadvertently disclosed, the paper said.

Both newspapers are owned by The New York Times Co. and share a computer system.

According to the Globe, discarded reports were recycled as paper used to print the routing slips. The newspaper was alerted to the compromise by an employee at a store that sells copies of the newspaper, said Alfred Larkin, senior vice president of general administration and external affairs at The Boston Globe. "As soon as senior management became aware of the situation, we dispatched a significant portion of our delivery force and attempted to recover as many of the routing slips as possible," he said.

So far, about 1,000 of the routing slips have been recovered, Larkin said. "Most of the others we believe have been discarded," he said.

According to the Globe's account of the incident, data was printed out twice in recent weeks by business office workers at the T&G and then thrown away to be recycled. In one case, an employee started to print a report, stopped the printing before it was done and discarded the paper. In the second, a different employee began printing out a report, realized it was the wrong one, aborted that job and threw the report out.

A majority of the affected individuals are subscribers to The Boston Globe, Larkin said. The company has already contacted the four major credit card companies and also some of the banks involved in the compromise. Later today, it will send letters to the affected individuals informing them of the compromise and any follow-up action they need to take to mitigate exposure to fraud.

"We hope to be able to offer some way of assuring their safety going forward," Larkin said, adding that no decision has been made on what exactly that might be.

Larkin said he does not know how long recycled internal reports have been used to print routing slips at the T&G, but he said the practice was immediately stopped. It was not a practice followed by the Globe.

The paper also set up a hot line, (888) 665-2644, that subscribers can call to verify whether their information was compromised, he said.

In a statement, publisher Richard Gilman said he regrets the "inconvenience" the incident may cause subscribers. "We deeply value the trust our subscribers place in us and are working diligently to remedy this situation. Immediate steps have been taken internally at The Globe and the Telegram & Gazette to increase security measures for protecting customers' confidential information," he said.

Such incidents highlight the need for companies to have a holistic data security and data classification strategy that includes controls for information stored in backup tapes, storage devices and on paper, said Roberta Witty, an analyst at Stamford, Conn.-based Gartner Inc. "Just because it's not in electronic form doesn't mean you don't put controls over it," she said. "At the end of the day, it is the responsibility of the information security group with the records management group" to ensure that proper controls are in place for sensitive information.

The incident is only the latest in a constantly growing list of major data compromises over the past year or so. Only last week, for instance, Providence Home Services in Seattle and Ameriprise Financial Inc. in Minneapolis disclosed separate security breaches involving the compromise of confidential customer data. Providence said it was notifying 365,000 hospice and home health care patients about a theft of backup tapes containing confidential information. Ameriprise said it was notifying 158,000 customers and 68,000 financial advisers about a possible compromise of their confidential information after a company laptop was stolen.

Similar breaches have hit a variety of companies in recent months, including Bank of America, LexisNexus and ChoicePoint Inc. The compromises have fueled congressional and federal concerns about data privacy and security. Only last week, the Federal Trade Commission imposed penalties totalling $15 million on ChoicePoint for its alleged failure to meet its data protection obligations.

Related:

Copyright © 2006 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon