Newly merged Alcatel-Lucent is warning thousands of employees and retirees that personal information such as Social Security numbers, names and addresses may have been exposed after a CD prepared by a vendor was reported missing.
The unencrypted disc was crafted by one of the telecommunication companys vendors, Hewitt Associates. It contains names, addresses, Social Security numbers, dates of birth and salary data of Alcatel-Lucent employees on the U.S. payroll who worked for Lucent and their dependents. The disc contains the same information about Lucent retirees and their dependents as well.
The disc was prepared by Hewitt to be delivered via UPS to Aon Corp., another of Alcatel-Lucents vendors, and is believed to have been lost or stolen between April 5 and May 3. Alcatel-Lucent officials said they were informed of the situation May 7 and have contacted the U.S. Secret Service, New Jersey State Police and local law enforcement to assist in the investigation.
Alcatel-Lucent spokesman Peter Benedict said the company requires vendors to maintain tight security standards when dealing with personal data, but would not comment as to whether or not it was policy violation to be unencrypted. Alcatel-Lucents security policies currently are under review, and vendors have been told to suspend courier shipments while the review is underway, he added.
"We recognize that we have a responsibility to carefully protect this type of information and deeply regret this loss," said Frank DAmelio, chief administrative officer for Alcatel-Lucent, in a statement. "We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimize any potential risk this incident could create for them."
Company officials refused to give an exact number of people at risk for security reasons. However, the corporation has 21,400 employees in the United States. Only a subset of that number—those who formerly worked for Lucent—are affected, Benedict said. In addition, the Lucent Retirees Organization has more than 100,000 members, according to its Web site.
The company was formed late last year when Alcatel, headquartered in France, purchased Murray Hill, N.J.-based Lucent for $11 billion.
In addition, Alcatel-Lucent has agreed to provide individuals at risk with identity theft protection and credit monitoring for free for one year. Credit monitoring services will include unlimited online access to a credit report and score, monitoring of all three national credit bureau reports, e-mail alerts to inform individuals of key changes to their credit report, and fraud resolution and assistance, company officials said.
No information regarding customers or their accounts was on the disc, and the disc did not contain credit card numbers, bank account numbers or password information, Alcatel-Lucent officials added.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.