The personal information of 13,000 individuals who had filed compensation claims with BP after last year's disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee.
The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident.
BP said in a statment that the personal information had been stored in a spreadsheet maintained by the company for the purposes of tracking claims arising from the accident. "The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search," BP said on Tuesday.
The information was part of a claims process that was implemented before BP had established its Gulf Coast Claims Facility.
The statement makes no mention of when the laptop was reported as lost. But an Associated Press report quoting a BP spokesman notes that the laptop was lost on 1 March by an employee while on routine business travel.
The spokesman is quoted as saying that BP waited nearly a month to notify victims of the breach because it was doing "due diligence and investigating."
BP said the missing laptop is equipped with a security capability that allows security administrators to remotely disable the computer "under certain circumstances." However the company offered no further details on what those circumstances might be or whether it has actually disabled the system so far.
"Because this investigation and search for the missing laptop is ongoing, we are unable to provide additional detail that might jeopardize our investigation efforts," the company said.
BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted.
The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.
Such losses have prompted have prompted Massachusetts to pass a law mandating the need for companies to encrypt sensitive personal data stored on mobile devices.
Although numerous encryption technologies are readily available these days to mitigate the risk, many companies still don't use them.
“This loss reminds us in the UK that it’s not just the public sector that can come under fire for mishandling data,” said Chris McIntosh, CEO, Stonewood.
Leaving sensitive data such as this unencrypted is bad enough, is bad, but given the scale of the event which made BP record it in the first place, it becomes almost inexplicable, he added.
“BP may claim that it has been investigating the incident during victims’ month-long wait for information,” McIntosh said, “but this seems similar to the actions that resulted in Zurich Insurance receiving a record fine from the FSA last year: too little, much too late.”