Databreaches.net has a link to a FAQ created by Idaho Power, where it notes that employee information was breached when Mercer Health & Benefits lost a backup tape. The information on this tape was not protected with encryption, the same technology that powers AlertBoot endpoint security software, and it looks like the data breach has affected nearly 400,000 people.
Numerous Breach Notifications
To date, databreaches.net has found three breach notifications related to the Mercer tape loss. I, too, had mentioned something in passing earlier this month, based on the information found at databreaches.net (that site’s a wonderful resource).
One of these breached companies, Idaho Power, has put up a FAQ for their employees, and has revealed a couple of things that were not apparent before.
Hundreds of Thousands Affected, Not Sure About Breach Risk
First, it has announced how many people were affected in total. Previously, we only had a partial count: a thousand with this company, another couple of hundred with that company, etc. I already knew from firsthand experience that the numbers couldn’t possibly be low. Mercer is a pretty big company, and backup tapes can hold a lot of data (and they usually do).
My own conservative, and unpublished, opinion was that it would affect people in the tens of thousands, at least. Idaho Power claims it’s 5,000 of their own employees plus “375,000 other individuals.” In other words, approximately 380,000 people were affected by this data breach.
Second, Idaho Power has made it a point to counter Mercer’s claims that, despite the lack of data encryption on the tape, the information is probably safe. From Idaho Power’s FAQ:
While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses. [my emphasis]
This is the first time I’ve read where a company openly disagrees with a business associate, be it a partner, a subcontractor, etc. Usually, when a company experiences a data breach through no fault of their own, that company is busy hiding the third-party company’s name. For example, when The Gap had a breach back in 2007, it wouldn’t mention which company actually caused the breach. I only found out earlier this year when a court case was made public.
I’m not quite sure what to make of Idaho Power’s position. Does it mean that Mercer’s claim–that the lost information is safe–is incorrect? Does it mean that Mercer could be right, but Idaho Power wants to make sure? Perhaps Idaho is trying to mitigate any potential lawsuits?
I know this much for sure: all of this very well could have been avoided if the information on that backup tape had been protected with encryption.