The Social Security numbers of 150,000 people were on the backup tape, which vanished last October, according to representatives from GE Money, which handles retail credit card operations.
The backup tape was being stored at an Iron Mountain warehouse when it went missing. The tape was not checked out of the facility, a GE Money spokesman said.
A statement released today by JCPenney said only that GE Money had made the retailer aware of the breach and is notifying customers. The statement referred inquiries to GE Money's public relations department.
GE Money spent two months reconstructing the tape and is paying for one year of credit-monitoring service for affected customers. JCPenney expects to complete the notification process next week, according to published reports.
A representative from GE Money could not be immediately reached for comment.
Iron Mountain spokesman Dan O'Neill said today that there is no evidence that the tape was obtained by an unauthorized person or has been misused. To access the sensitive information on the media, an individual would have to have specialized knowledge, he said.
“An accidental loss of a backup tape is not an identity theft issue or a crime. It is distinctly different from previous cases of malicious hacking or PC theft. Since we notified GE Money of the missing backup tape in October, there has been no evidence to suggest that any person's identity has been compromised as a result,” O'Neill said. “And we don't know of any incident, ever, when a backup tape has resulted in identity theft.”
The most prominent retail breach to date was the 2005 infiltration of the databases of TJX Companies, the parent company of T.J. Maxx and other chains. The hacking is believed to have begun at a Marshalls store in Minnesota, although others have suggested the suspects gained initial access at two Marshalls locations in Florida.
A group of New England banking associations claimed that hackers stole 94 million account numbers in the incident, but TJX maintains that 45.7 million accounts were accessed.
Avivah Litan, Gartner vice president and research director, told SCMagazineUS.com today that JCPenney had likely outsourced its data storage to Iron Mountain believing that the vendor could do a better job with security than the retailer could.
“This is the first documented case where a trusted service provider, like Iron Mountain, has lost a tape, so it's kind of damned if you do and damned if you don't,” she said. “The whole chain of trust is broken now. In the case of TJX, they were doing everything themselves, and up until now, there hadn't been a case like this. So this deflates the hope of finding trusted third parties.”
Gordon Rapkin, president and chief executive of data security vendor Protegrity, told SCMagazineUS.com today that JCPenney is ultimately responsible for making sure their customers' information is secured.
“I always follow the chain of responsibility, and it starts with someone charging his or her credit card data to JCPenney and transacting his or her business with JCPenney,” he said. “For all they know, [consumers] were doing business with JCPenney and not Iron Mountain.”
Popular blog consumerist.com claimed Tuesday that a “major retailer” had suffered a large credit card data breach, resulting in a surge of fraud reports from its readers, although it is unclear whether that has anything to do with the JCPenney incident.
The personal or financial data of more than 217 million Americans has been compromised since the beginning of 2005, according to the nonprofit Privacy Rights Clearinghouse.
Steven Sprague, CEO of Wave Systems, a data-security vendor, told SCMagazineUS.com today that encryption is an easy solution to ensure that personal information is not accessed improperly.
“The need to encrypt all data is reaching the point where it's for everyone,” he said. “Whether [dealing with] Iron Mountain or others, stuff happens, and when you encrypt the data, you don't have to rely on other people as much.”