A BP employee has misplaced a laptop containing the personal information of more than 13,000 U.S. residents who filed compensation claims against the oil giant in the wake of the Deepwater Horizons oil spill.
Gulf Coast residents who'd filed claims against oil giant
British Petroleum in the wake of last year's oil spill have another thing to
worry about: their private information has been lost and possibly exposed.
A BP employee on a business trip misplaced a laptop
containing private information of about 13,000 individuals, the oil company
said March 29. The laptop contained a spreadsheet of names, addresses, phone
numbers, dates of birth and Social Security numbers belonging to people who
filed compensation claims after the disastrous April 2010 fire and oil spill
the Deepwater Horizon drilling platform in the Gulf of Mexico.
The spreadsheet listed only those who filed claims directly
with BP before the Gulf Coast Claims Facility took over the processing in
August 2010. There is no need for anyone to refile claims because of this
incident, according to BP.
"There is no evidence that the laptop or data was
targeted or that anyone's personal data has in fact been compromised or
accessed in any way," said BP spokesman Tom Mueller.
The laptop, lost March 1, was password-protected, but the
information was not encrypted, according to BP spokesman Curtis Thomas.
While there were reports that the laptop had the capability to be
remotely disabled, BP did not comment to eWEEK on that feature.
The company notified affected individuals of the information
breach and offered free credit monitoring services with Equifax. The loss of
the laptop has been reported to law enforcement and BP's security team.
BP declined to provide any information on the employee or
where the laptop was lost because of the ongoing investigation.
"The truth is employees will keep on losing their devices,"
Darren Shimkus, senior vice president of Credant Technologies, told eWEEK.
Organizations should consider an integrated data protection strategy as the increasing
number of consumer devices in the workplace means there are more endpoints for
sensitive corporate data to reside, he said.
"It's only going to get harder for IT" to implement and
manage data security, Shimkus said.
Employees need to be trained to think of these incidents in
a broader sense, Josh Shaul, CTO of Application Security, told eWEEK. When a
laptop with sensitive information is lost, employees tend to frame the incident
as a lost device that needs to be replaced and not as a corporate data breach,
he said. "It's really simple" how breaches happen, he said.
Data breaches are a growing problem. The 2010 data breach
report from Ponemon Institute
found that the average cost of a data breach had
risen to approximately $7.2 million. Using Ponemon's figures of a data breach
on average costing organizations $214 per compromised record, this lost laptop
incident might cost BP in the neighborhood of $2.78 million. That price tag would
include the cost of notifying all the users and the state government, setting
up a call center that can handle questions from worried victims and paying for
credit monitoring services.
BP said it has already paid about $5.2 billion in total
claims since the April 10, 2010 explosion at the Deepwater Horizon oil well
the Gulf of Mexico. It took BP 85 days to stop an estimated 205 million gallons
of oil from gushing into the sea. BP has directly paid out about $400 million
in claims to individuals and businesses before Gulf Coast Claims Facility took