The Boston Globe newspaper said on Feb. 1 that it accidentally released sensitive data on as many as 227,000 subscribers. Information on around 13,000 subscribers to the Worcester Telegram & Gazette was also accidentally released in the incident.
Subscribers names, credit card numbers and bank routing numbers, were printed on the back of recycled paper used to wrap bundles of the newspapers.
The Globe has contacted credit card companies and said it will change the way it secures credit card data internally, according to a statement attributed to Globe publisher Richard H. Gilman. The Globe did not respond to a request for comment.
The payment information for subscribers of both papers had been printed internally, and then discarded. The discarded sheets were then used to make "toppers," or routing slips attached to the tops of 9,000 bundles of the Worcester Telegram & Gazette newspapers, according to the Globe statement.
The Globe and Telegram & Gazette are both owned by The New York Times Co. and share computer systems.
The papers had procedures to prevent confidential information from being used or reprinted, but those precautions failed, said Al Larkin, a Globe spokesman.
The papers have immediately banned the reuse of printed paper within the company, Larkin said.
The newspapers have been trying to recover as many of the toppers as possible. However, they are typically discarded when the papers are delivered. As a result, the paper does not know whether or not the sensitive information has fallen into the wrong hands. As of Feb. 1, the paper had retrieved around 1,100 of the "toppers," according to Larkin.
No customer name appears on more than two toppers because of the way they are produced, according to the Globe statement.
The Globe contacted major credit card companies about the leak and said it will continue to monitor the situation.
MasterCard International has launched an investigation into the incident, according to an e-mail statement from the company.
The Globe is also working on the details of a plan to supply those affected in the leak with credit monitoring services, Larkin said.
The company also set up a toll-free phone number for customers to call to see if their information was on the list of accounts that were leaked.
A representative named "Marie" who answered a call from eWEEK at that number said that representatives began fielding a flood of calls from concerned subscribers starting at 10:00 a.m. on Jan. 31.
Customer representatives were also offering to change the credit card associated with leaked accounts, if customers wished, she said.
Both MasterCard and Visa requested more data about accounts for their customers that were compromised, according to a story in the Feb. 1 edition of The Boston Globe.
The mishap is just the latest in a long string of incidents in which companies leak or misplace customer data.
Last week, Providence Home Services, a Washington state health care company said backup tapes with sensitive medical data for 365,000 hospice and home health care patients was stolen from an employees car in December.
In 2005, information on around 40 million credit card users was exposed in a database breach at transaction processor CardSystems Inc.
Also, Bank of America reported that computer backup tapes containing account information on more than two million customers had been lost.