BP Oil Spill Claimants' Personal Data Disappears with Lost Laptop

A BP employee has misplaced a laptop containing the personal information of more than 13,000 U.S. residents who filed compensation claims against the oil giant in the wake of the Deepwater Horizons oil spill.

Gulf Coast residents who'd filed claims against oil giant British Petroleum in the wake of last year's oil spill have another thing to worry about: their private information has been lost and possibly exposed.

A BP employee on a business trip misplaced a laptop containing private information of about 13,000 individuals, the oil company said March 29. The laptop contained a spreadsheet of names, addresses, phone numbers, dates of birth and Social Security numbers belonging to people who filed compensation claims after the disastrous April 2010 fire and oil spill at the Deepwater Horizon drilling platform in the Gulf of Mexico.

The spreadsheet listed only those who filed claims directly with BP before the Gulf Coast Claims Facility took over the processing in August 2010. There is no need for anyone to refile claims because of this incident, according to BP.

"There is no evidence that the laptop or data was targeted or that anyone's personal data has in fact been compromised or accessed in any way," said BP spokesman Tom Mueller.

The laptop, lost March 1, was password-protected, but the information was not encrypted, according to BP spokesman Curtis Thomas. While there were reports that the laptop had the capability to be remotely disabled, BP did not comment to eWEEK on that feature.

The company notified affected individuals of the information breach and offered free credit monitoring services with Equifax. The loss of the laptop has been reported to law enforcement and BP's security team.

BP declined to provide any information on the employee or where the laptop was lost because of the ongoing investigation.

"The truth is employees will keep on losing their devices," Darren Shimkus, senior vice president of Credant Technologies, told eWEEK. Organizations should consider an integrated data protection strategy as the increasing number of consumer devices in the workplace means there are more endpoints for sensitive corporate data to reside, he said.

"It's only going to get harder for IT" to implement and manage data security, Shimkus said.

Employees need to be trained to think of these incidents in a broader sense, Josh Shaul, CTO of Application Security, told eWEEK. When a laptop with sensitive information is lost, employees tend to frame the incident as a lost device that needs to be replaced and not as a corporate data breach, he said. "It's really simple" how breaches happen, he said.

Data breaches are a growing problem. The 2010 data breach report from Ponemon Institute found that the average cost of a data breach had risen to approximately $7.2 million. Using Ponemon's figures of a data breach on average costing organizations $214 per compromised record, this lost laptop incident might cost BP in the neighborhood of $2.78 million. That price tag would include the cost of notifying all the users and the state government, setting up a call center that can handle questions from worried victims and paying for credit monitoring services.

BP said it has already paid about $5.2 billion in total claims since the April 10, 2010 explosion at the Deepwater Horizon oil well in the Gulf of Mexico. It took BP 85 days to stop an estimated 205 million gallons of oil from gushing into the sea. BP has directly paid out about $400 million in claims to individuals and businesses before Gulf Coast Claims Facility took over processing.