Data Disaster - Penney’s Missing Card Numbers

In addition to bringing you updates on technology, advice on backup best practices and occasional misguided musings, this blog will also follow the world’s data debacles. Like drivers slowing down as they pass the scene of an accident, we will, at times, be guilty of gaping, gawking and staring at the smoking remains of a data disaster. These stories are not shared to mock the victims or to take comfort in their misfortune because it is not ours. Rather, we examine these disasters in order to understand our own vulnerabilities and the importance of data safety. If they are somewhat amusing every once in a while, that is simply a bonus. Not really the case with todays entry though.

Today the AP reported that the credit card numbers of 650,000 people have been “misplaced”. These credit cards are handled by GE Money for JC Penney and other major retailers. Among those 650k are 150,000 that have social security numbers attached, putting them at a greater risk for identity theft.

The data in question was stored on a backup tape at a data storage warehouse run by Iron Mountain, and was discovered missing in October. There are apparently no signs of theft but the tape is definitely not where it is supposed to be.

Sensitive data is a valuable commodity, tempting for thieves and difficult to secure. GE Money is providing credit monitoring for those effected and has been performing a major notification campaign. This campaign might, according to the AP article, be flawed due to the fact that the letter comes in a GE Money envelope and is likely discarded as junk by many of the recipients. Hopefully this loss won’t have any painful ramifications for the individuals involved, but if it does the notification process might find itself the subject of unpleasant scrutiny.

Data loss happens. Tapes disappear. Hard drives fail. The only thing one can do is be prepared and have a disaster recovery plan for every contingency. The notification of those affected is an important part of this plan as, of course, is a backup of that important data.

Note: JC Penney is not in any way at fault for the loss of data. The other retailers affected remain undisclosed.