The personal information of 13,000 individuals who had filed compensation claims with BP after last year's disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee.
The information, which had been stored in an unencrypted fashion on the missing computer, included the names, Social Security numbers, addresses, phone numbers, and dates of birth of those who filed claims related to the Deepwater Horizon accident.
BP said in a statment that the personal information had been stored in a spreadsheet maintained by the company for the purposes of tracking claims arising from the accident. "The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search," BP said on Tuesday.
The information was part of a claims process that was implemented before BP had established its Gulf Coast Claims Facility.
The statement makes no mention of when the laptop was reported as lost. But an Associated Press report quoting a BP spokesman notes that the laptop was lost on March 1 by an employee while on routine business travel.
The spokesman is quoted as saying that BP waited nearly a month to notify victims of the breach because it was doing "due diligence and investigating."
BP said the missing laptop is equipped with a security capability that allows security administrators to remotely disable the computer "under certain circumstances." However the company offered no further details on what those circumstances might be or whether it has actually disabled the system so far.
"Because this investigation and search for the missing laptop is ongoing, we are unable to provide additional detail that might jeopardize our investigation efforts," the company said.
BP has sent written notices to victims informing them about the potential compromise of their personal information and to offer them free credit monitoring services, the statement noted.
The BP compromise is only the latest in a very long list of similar breaches involving the loss of unencrypted personal data stored on laptops, and mobile storage devices.
Such losses have prompted have prompted Massachusetts to pass a law mandating the need for companies to encrypt sensitive personal data stored on mobile devices.
Although numerous encryption technologies are readily available these days to mitigate the risk, many companies still don't use them.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about data security in Computerworld's Data Security Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.