Bristol-Myers Squibb officials last week confirmed that a non-encrypted backup tape containing the personal data of current and former-employees and their dependants was stolen 4 June 2008, from a delivery truck carrying the device.
Bristol-Myers spokeswoman Laura Hortas said the New York-based pharmaceutical company began notifying current, former and retired employees by mail on 12 June about the missing backup tape. The pharmaceutical giant would not disclose how many individuals are affected by the breach.
However, according to a security breach notification letter sent by the firm to the New Hampshire Attorney General's office, personal data of 458 residents of that state was stored on the stolen tape.
Hortas declined to disclose where the theft occurred or any other circumstances regarding the incident, citing an ongoing investigation by Bristol-Myers and law enforcement authorities. She also would not identify the third-party storage vendor hired by Bristol-Myers to transport the sensitive data.
She did say that thieves broke into the delivery truck during a stopover at an undisclosed facility. Bristol-Myers is currently in the process of ensuring that all data tapes maintained by its third-party storage vendor are encrypted going forward.
"Bristol Myers Squibb regrets that the incident occurred and is committed to providing appropriate assistance for affected individuals who had their personal information on the data tape," said Hortas, reading from a prepared company statement. "We are committed to protecting the privacy and security of employee and dependent information. Maintaining the trust and confidence of our employees is paramount to Bristol Myers Squibb."
The stolen computer tape included the names, addresses, birthdays, social security numbers, marital status, bank account numbers, salaries, and hiring and termination/retirement dates of the affected employees. In addition, the tape has social security and address information about dependants of former and current employees.
Hortas said that data on the missing backup tape is protected by a 12-character password and a jumbled text format that can only be read through "pricey" specialised software. "The tape is not something your average person could just pick up and know how to access," she added.
Bristol-Myers said it has no reason to believe that any data on the tape has been inappropriately accessed, or identify fraud has been committed. The company is offering one year of free credit monitoring and identity theft insurance to all individuals and dependents affected by the data breach.Related stories: