Stolen Corporate Laptops Continue to Expose Employees and Customers to Financial Loss and Possible Identity Theft

Laptop computers are convenient and permit businesses of all types to transport enormous amounts of information to conferences, presentations, and other remote locations. Unfortunately, laptop computers are easily stolen or lost and, when one does “disappear,” unencrypted data is particularly vulnerable to misuse.

Whether as a result of theft or carelessness, the loss of laptops belonging to corporations, financial institutions, data aggregators, schools or colleges, or other large organizations continues to be a subject of great concern in terms of potential identity
theft or other illegal use of stored personal information belonging to clients, employees, customers, and students.

Hardly a week goes by without at least one report of a stolen or misplaced laptop containing sensitive personal information on anywhere from a few to hundreds of thousands of people.

The most recent theft involved a laptop belonging to Fidelity Investments Institutional Services Co. (Fidelity), a company that provides services to the Hewlett-Packard (HP) defined benefit and defined contribution plans.

On March 15, Fidelity employees attended a meeting to which one of the attendees brought a laptop that included a database with the personal financial information of 196,000 participants in Fidelity managed HP sponsored retirement plans. The laptop was stolen.

A Fidelity spokesperson stated: “It is not our practice to have that level of data on a laptop. We limit significantly the use of such confidential data outside of Fidelity to only those instances where the information is appropriate or required for meetings with clients about their specific plans and participants.”

Fidelity has promised to reimburse HP employees and retirees for any losses that result from the theft. HP and Fidelity have alerted the current and former HP employees who were affected.

Fidelity has notified the three credit reporting bureaus of the theft and offered potential victims free enrollment for one year in a credit monitoring service.

In addition, Fidelity will be demanding extra authentication from anyone trying to access the affected accounts.

So far, it appears that there is no evidence that the stolen data is being abused. That data is now scrambled as a result of the expiration of the license for the laptop’s software. This makes the information difficult to interpret and generally unusable.

Finally, since many other laptops have been stolen in the same general area, the thefts may be targeting the computers and not the data they contain.

Since the missing data consisted of “personally identifiable information about plan participants,” criminals could also use the information (names and social security numbers) for all types of identity fraud and not simply to tamper with retirement accounts.

Earlier this month another theft involved two laptop computers that contained personal data on an undisclosed number of Verizon workers.

Verizon notified the people affected by letter on March 1. According to the letter, the laptops were stolen in an act of “random theft,” and the data was password-protected.

In an interview with ConsumerAffairs.Com, Verizon spokesperson Heather Wilner said that the computers were stolen from “a Verizon building,” but she was unable to provide further information because of “security reasons.”

That theft appears to have been a random act and so far there have been no reports that the information has been used for any improper purpose.

Verizon is offering free credit monitoring services for two years for any employees who were affected by the theft.

This is not the first time in recent months that the company has had issues surrounding the privacy of its records.  Its mobile subsidiary, Verizon Wireless, has had a series of problems.

In August of this year, the company suffered a software problem that enabled millions of customer records to be viewed by other customers. Verizon Wireless also sued a Florida-based investigative agency to prevent it from procuring customer records by posing as Verizon employees.

Verizon Wireless also joined other cell phone service providers in suing businesses such as and Celltolls that were acquiring cell phone records for sale on the Web.

On March 4, we reported that Metropolitan State College in Denver had apparently lost sensitive personal data on more than 93,000 students as a result of the theft of one of the school’s laptop computers.

An employee had been using the information, including student names and Social Security numbers, to write a grant proposal at home, where the computer was stolen, the college said Thursday.

The employee was also using the reportedly unencrypted data to write a master’s degree thesis, the school said.

The college has sent a letter to students who registered for Metropolitan State courses between the 1996 fall semester and the 2005 summer semester to notify them of the incident, the college said.

It is not known whether the sensitive information was still stored on the computer when it was stolen, according to college President Stephen Jordan. “The employee does not recall whether he had deleted those files from the laptop.”

According to Jordan, the college is now reviewing its policies regarding laptops and unencrypted data.

As we recently reported, over the past year the vulnerability of personal information has never been more apparent.

It has become painfully clear, to millions of “victims,” that once they entrust their Social Security number, banking information, credit card numbers and security codes, and other forms of personal identification and financial data to stores, online merchants, government agencies, employers, and financial institutions, they lose all control over it and have no idea of where it might ultimately wind up.

The massive data losses in 2005 have continued into 2006 and promise to continue unless and until security is ramped up to the point where private individuals and companies can safely entrust electronic data to third-parties for processing, storage, billing, or other transactions.

Many experts believe that until there is accountability for the loss of sensitive data through negligence or inadequate security, thieves, and other opportunists will continue to feast upon the wealth of electronic data floating unprotected through cyberspace or in unsecured or inadequately protected storage and shipping facilities.

Corporate and even government agency failures in terms of safeguarding personal and business financial information is a significant problem that needs to be addressed immediately.

As 2005 drew to a close, Ford Motor Co. started notifying some 70,000 current and former white-collar workers that their sensitive personal and financial data has been stolen. The information, which included the employees’ names, addresses, and Social Security numbers, was contained on a computer that was stolen in November.

In an incident quite similar to the one involving Metropolitan State College, Ameriprise Financial, the 2005 spin-off from American Express, recently announced that it had “lost” unencrypted personal financial data belonging to some 230,000 customers and financial advisers.

The information was stored on a laptop belonging to the company that was stolen from an employee’s car near the end of December 2005. The unprotected data included over 70,000 Social Security numbers belonging to current and former financial advisers and the internal account numbers of some 158,000 customers.

Although company rules explicitly prohibited the unencrypted storage of such sensitive data, there is nothing startling about the apparent negligence in the storage and safeguarding of third-party financial information.

In 2005, there were several high-profile database thefts or losses that put millions of people at risk for identity theft. Whether the information was stolen directly, bought from a dishonest employee, or lost through the negligence of the organization itself, inadequate security practices were at the heart of the each loss.

These ongoing security lapses are leading lawmakers to push for tighter rules for U.S. data aggregators. The following is a brief recap of the high-profile security breaches which put millions of individuals at risk for some form of identity theft within the past year.

• March 2005: A security breach at LexisNexis – an information broker database containing addresses, driver’s licenses, and Social Security numbers- allowed outsiders to access personal data files of as many as 310,000 people.

• Just prior to the LexisNexis breach, there was a security breach at ChoicePoint Inc., a company which sells access to personal databases. A con artist was able to call the company and gain access to the personal data of thousands of people. Information on nearly 145,000 people nationwide was no longer protected and authorities said that at least 800 people had been defrauded. ChoicePoint later increased the estimate of affected individuals to 163,000.

• April 2005: British financial giant HSBC PLC notified at least 180,000 people of a scam involving General Motors-branded MasterCards. Apparently, when these cards were used to make purchases at Polo Ralph Lauren, criminals obtained access to their credit-card information.

• February 2005: Bank of America reported that a small number of backup tapes containing records of the personal financial information of government employees were lost in a shipment to their backup center.

• April 2005: Time Warner Inc. reported that a container of computer tapes containing information on 600,000 current and former employees was lost during a truck ride to a data storage facility. Foul play has not been ruled out.

• March 2005: An eBay scam set up by “phishers” used a coin collector’s eBay account to sell about $780,000 worth of coins, many of which never existed. Fees for the fraudulent action had been financed with $300 from the coin collector’s personal PayPal account.

• April 2005: A former Blockbuster Video store employee was indicted on charges of stealing customers’ identities and then using them to buy more than $117,000 in trips, electronics, and even a new Mercedes-Benz.

• April 2005: Administrators at the University of California, Berkeley, disclosed that a computer laptop containing the names and Social Security numbers of nearly 100,000 people had been stolen. Just three days earlier, Northwestern University

• April 2005: A man in Hackensack, New Jersey, was accused of conducting a massive scheme to steal 500,000 bank accounts and personal information and sell it to bill collectors. His accomplices included branch managers and employees from some of New Jersey’s biggest banks, including Bank of America, Wachovia, and Commerce Bank. All are accused of selling bank account numbers and balance information for $10 per customer. In some cases, the bank employees printed out entire customer computer screens and turned them over to the ringleader. reported that hackers broke into the computers at the Kellogg School of Management and potentially gained access to information on more than 21,000 students, faculty, and alumni.

On June 6, financial giant Citigroup announced that United Parcel Service had somehow “misplaced” a box of computer tapes containing personal data on approximately 3.9 million Citigroup customers.

While a spokesperson for United Parcel Service claimed the company is “proud of its record in service and reliability,” he declined to discuss what security measures had been taken to protect the sensitive package.

Citigroup released a statement that it intended to start sending data electronically in an encrypted form and that it had “no reason to believe this information has been used inappropriately.”

It is clear, however, that when massive computer thefts are involved, there is no real way for the bank, credit card company, employer, or data aggregator to ensure that missing Social Security numbers, personal information, bank account and credit card numbers, and other sensitive records will not be used to fraudulently obtain credit cards, loans, and other indebtedness in the names of Citigroup’s customers.

Unlike individual cases of identity theft, which are often the product of inattentiveness on the part of the victim or which cannot be attributed to a lack of security, today’s enormous data thefts or losses may very well start resulting in civil liability on the part of the organization for negligence or for failing to have adequate security measures in place.

Some measure of accountability has been achieved in the ChoicePoint data loss with the Federal Trade Commission’s (FTC) announcement that the company has agreed to settle data security breach charges by paying $10 million in civil penalties and $5 million for consumer redress

According to the FTC release: “Consumer data broker ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle Federal Trade Commission charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement requires ChoicePoint to implement new procedures to ensure that it provides consumer reports only to legitimate businesses for lawful purposes, to establish and maintain a comprehensive information security program, and to obtain audits by an independent third-party security professional every other year until 2026.”

Significantly, the agency’s Chairman, Deborah Platt Majoras issued the following admonition to those entrusted with sensitive information: “The message to ChoicePoint and others should be clear: Consumers’ private data must be protected from thieves. Data security is critical to consumers, and protecting it is a priority for the FTC, as it should be to every business in America.”

If you have been the victim of identity theft of any kind, you should take action immediately. Here are the things you can do to minimize the impact on your life:

  1. File a report with your local police.
  2. Don’t change your Social Security Number. (It will probably cause more problems than it will solve.)
  3. Don’t cancel your credit cards. It may be very difficult for you to get new ones. You are better off reporting the fraud and getting new security codes, putting a fraud alert on the account and making sure that the issuer does not change your address without your personal instruction to do so.
  4. Contact the fraud departments of each of the three major credit bureaus.
    Get a copy of your credit report, which is free to ID theft victims. Ask that your file be flagged with a “fraud alert tag” and a “victim’s statement.” That will limit the thief’s ability to open new credit accounts, as new creditors will call you before granting credit, generally. Insist, in writing, that the fraud alert remain in place for the maximum of seven years.
  5. Contact the Federal Trade Commission to report the situation. The telephone number is 1-877-ID THEFT (877-438-4338). The address is Consumer ResponseCenter, FTC, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.
  6. Contact the Social Security Administration at 1-800-269-0271.
  7. Contact the I.R.S. at 1-800-829-0433.
  8. Call the fraud units of the three major credit reporting companies. Equifax – 1-800-525-6285 – P.O. Box 740250, Atlanta, GA 30374-0250. Experian (formerly TRW) – 1-888-EXPERIAN or fax to 1-800-301-7196 – P.O. Box 1017, Fullerton, CA92634.
  9. Contact creditors you believe are affected.
  10. Contact your bank(s). Place stop payment orders on any outstanding checks. You may have to close your accounts and open new ones.
  11. 11. Contact the major check verification companies if necessary. CheckRite 1-800-766-2748. ChexSystems 1-800-428-9623. CrossChek 1-800-522-1900. Equifax 1-800-437-5120. SCAN 1-800-262-7771. National Processing Co. (NPC) 1-800-526-5380.
  1. Obtain an Identity Theft Survival Kit at       that contains vital information about how to survive what can be a very aggravating and frustrating situation

Consult other sources for information and assistance: U.S. Postal Service – 1-800-275-8777 – U.S. Secret Service – U.S. Social Security Administration – 1-800-269-0271 – – CALPIRG Consumer organization – 1-310-397-3404 – or USPIRG – 202-546-9707 – – VOIT (Victims of Identity Theft Support Group – – U.S. Dept. of Justice –

This entry was posted in Consumer Fraud, Legal News. Bookmark the permalink.

© 2005-2019 Parker Waichman LLP ®. All Rights Reserved.