Telecommunications service provider Alcatel-Lucent has sent notifications to employees and retirees about a May 3 data breach.
The company said it was informed by a third-party vendor on May 7 that a disk containing the personal information of an unknown number of current and former employees had been lost or stolen.
Data on the disk included names, addresses, Social Security numbers, birth dates and salary data of Lucent employees and their dependents.
In a statement posted Thursday on its website, the company revealed that credit card, bank or password information was not included on the missing disk.
Alcatel-Lucent reported that the disk was either lost or stolen between April 5 and May 3 after being prepared by Hewitt Associates for delivery by UPS to another vendor, Aon Corporation.
The Murray Hill, N.J.-based firm said it had received no indication that the personal information has been misused, but informed state and local authorities and the U.S. Secret Service about the incident.
The company will also provide affected individuals with a year of identity theft protection and credit monitoring.
Affected personnel can also call 1-866-795-8756 for more information on the incident.
Alcatel-Lucent spokeswoman Mary Ward told SCMagazine.com today that the firm is not disclosing the number of affected employees for security reasons. A Friday report in the Newark Star-Ledger said the number could be as high as 200,000.
In a statement, Alcatel-Lucent apologized for the data loss.
"We recognize that we have a responsibility to carefully protect this type of information and deeply regret this loss," said Frank D’Amelio, Alcatel-Lucent chief administrative officer. "We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimize any potential risk this incident could create for them."
Bill Bartow, vice president of product management at Tizor, told SCMagazine.com today that corporations should ensure that outside vendors have acceptable data protection policies in place.
"First you have to have good, solid data security policies within your company, and then you have to extend it to other parties, including outsourcers. Then you have to ensure that they follow that policy," he said. "Certainly you can audit your business partners to ensure that they have best practices in place for data protection. One of the first things many people do is to classify their data and realize that there are certain types of data that should be treated differently."
–Get more IT security news. Click here for SC Magazine Blogs.