BP loses laptop containing details of 13,000 oil spill victims

BP continues to make headlines and, yet again, not for the right reasons
BP continues to make headlines and, yet again, not for the right reasons

Complete details of the loss are still emerging, but it appears the computer was only protected by a Windows password, and that the company has sent letters to the people whose data were lost.

Data on the BP laptop spreadsheet included claimants' names, social security numbers, phone numbers and addresses. The firm has said that the relevant US authorities have been notified about the issue.

According to BP, the data belonged to individuals who filed claims with the oil giant before the Gulf Coast Claims Facility took over the processing of claims last August.

The UK Press Association says that a member of BP's staff lost the laptop at the start of March during "routine business travel".

BP is reported to be offering to pay for claimants to have their credit monitored by Equifax.

The UKPA newswire says that, when asked why nearly a month elapsed before BP notified residents about the missing laptop, a spokesperson said the company was carrying out due diligence and investigating.

IT security industry reaction to the laptop loss has been swift and harsh, with Darren Shimkus, senior vice president of Credant Technologies, saying that it is real wake-up call to corporations and governments everywhere.

"Regardless of the official security policy, sensitive corporate data will find its way everywhere, including corporate endpoints like laptops and thumb drives", he said.

"The truth is employees will keep on losing their devices and the only way organizations can protect their customers, employees, partners, and shareholders is to pursue an integrated data protection strategy", he added.

The VP of the end point data security specialist went on to say that the process of defending corporate data is only going to get harder for IT.

"As consumerization brings more smartphones, iPads, and other devices into the corporate environment, data risk multiplies and becomes even harder to control. Companies and governments need to make data security a priority get ahead of this now", he explained.

Over at Sophos, meanwhile, Paul Ducklin, the IT security vendor's head of technology for Asia-Pacific, said that the sobering part of this regrettable incident is that it happened because a single laptop was lost or stolen "during routine business travel".

"Even if you're the sort of organization which is willing to take risks with your own data – sales forecasts, trade secrets, and that sort of thing – you have a clear moral duty not to take risks with data you keep about other people", he said.

"Unfortunately, in those parts of the world where encryption and mandatory disclosure are not enforced by law, many sys admins are being squeezed by budgetary pressures to do as little as possible about encryption-related security", he added.

Ducklin went on to say that he does not understand that sort of economy, as surely your customers will value your service much more strongly if you can show that you are willing to do what's right and safe with their data?

"Why not consider the value of encryption to your business, instead of considering only the cost?"

What’s Hot on Infosecurity Magazine?