The big data breach story today comes out of Georgia, where the Atlanta Journal-Constitution reports:
A computer disk containing personal information on about 2.9 million Georgians was lost in shipping, state officials said Tuesday.
The data include Social Security numbers, birthdates and addresses of people on Medicaid and PeachCare for Kids, but no medical information, according to Dena Brummer, a spokeswoman for the Georgia Department of Community Health, which runs the two state health programs.
The Georgians affected were members of one of the programs over a four-year period until June 2006.
The package containing the CD was being shipped from an Atlanta office of Affiliated Computer Services, a Dallas-based company which processes claims for the health programs, to another company in Maryland, ACS spokesman David Shapiro said.
Sixteen other packages shipped from the Atlanta office the same day arrived at their destination, he said. Shapiro would not identify the ground carrier handling the packages.[…]
This is not the first loss or breach involving Affiliated Computer Systems, a Fortune 500 company. For those who may be new to following or tracking breaches, Attrition.org’s Data Loss Database – Open Source lists four other incidents involving them that were reported in the media since May 2005:
- May 2005. Motorola:
The names and Social Security numbers of an unreported number of Motorola employees were on two computers stolen from ACS offices in Chicago. Although the number of individuals or records stolen was not reported in most articles, NSI lists the number as 30,000, but does not cite their source for that number.
- February 2006. Denver International Airport:
Credit card information on people who paid by card for parking at the airport was on a backup tape stolen from ACS. The backup tape contained records for seven years. No number of records or individuals was estimated. In a case of locking the barn door after the horse is gone, DIA changed its procedures so that ACS was no longer allowed to store credit card information on any systems at DIA.
- August 2006. United States Department of Education:
During what should have been a routine software upgrade, ACS had a coding glitch on the DOE Direct Loan Servicing System web site, exposing the data of about 21,000 student borrowers.
- October 2006. Colorado Department of Human Services:
A computer containing information on nearly 1 million recently hired Colorado employees and employees in other states, plus 500,00 people involved in making enforced child support payments was stolen from ACS. An ACS employee was subsequently questioned, but no charges were filed and the computer was not recovered.
And now this latest breach, affecting 2.9 million, bringing ACS’s total number of compromised records to over 4 million plus all of the records involved in seven years of parking at the Denver International Airport where the individuals paid by credit card.
So what are we talking about — 5 million records compromised? 10 million records? More? A proverbial drop in the bucket, perhaps, given the size of ACS and its contracts and given the size of other data breaches reported by companies like TJX. Nothing to worry about. What’s a few more million records compromised among friends?