I received an interesting letter in the mail yesterday from EMC Corporation. It seems that at some point in the last two months of 2014 they managed to lose control of my basic personal information, including my date of birth and Social Security number -- giving the ability to whoever acquired the data to take a pretty good shot at identity theft.
But in these days of aggressive hacking attacks and state-sponsored attack teams EMC didn't lose my personal information through some external breach of their security, they lost the data in a far simpler fashion; someone misplaced the paperwork. Not just my paperwork, but at least the contents of an entire packing box, presumably containing personal data on potentially hundreds if not thousands of people.
Because of the nature of the data lost, I can only presume that the box contained the personal information on contractors used by EMC, or their subsidiaries, in the past.
Apparently at the end of 2014, during a move between two EMC facilities, the box that contained my personal information was lost. Now, as you can see from the attached letter, EMC has taken steps to help me monitor my personal information by providing no-cost access to a year of third-party monitoring service, but my personal data has been loose in the wild for no less than two months and potentially as long as more than four months before EMC took it upon themselves to notify me of the fact, via regular postal mail.
In response to my questions on this incident EMC stated that "Although we have yet to locate the missing box, no evidence exists that any information contained within was either stolen or misused. We remain hopeful the box was simply misplaced." EMC informed me that the facility involved is now implementing a more secure handling process for inter-site transfers. And as to the length of time the response took the responded, they said: "While incidents of this nature can involve any number of factors that impact notification timing, EMC is not disclosing specifics."
If nothing else this security breach makes it clear that those responsible for information security need to remember that data is data, regardless of whether it is stored electronically or physically, and that appropriate procedures to address the physical security of information need to be in place and actively monitored throughout an organization.