SC Magazine reported an AT&T loss of personal data:

An undisclosed number of management-level workers at AT&T have been notified that their personal information was stored unencrypted on a stolen laptop.

The head of the OASIS EKMI TC (that’s enterprise key management infrastructure technical committee) just pointed out to me that a press release on data protection and loss prevention was posted the day prior to the loss disclosure:

AT&T Launches Encryption Services to Help Businesses Secure E-Mail and Data
[…]
“Data protection and loss prevention is becoming increasingly critical for businesses of all sizes with data breaches costing organizations more and more each year,” said S. Dale McHenry, vice president, Enterprise Network Services, AT&T. “AT&T’s managed security services provide businesses with the tools and resources that they need to securely handle their data, helping to enforce data privacy and save money with the electronic transfer of documents.”

How ironic. Sounds like AT&T is ready for some AT&T.

My math skills must be waning. If I read this article correctly, the University of Utah Hospitals & Clinics is offering $1 for every 2200 billing records that were lost by Perpetual Storage Inc.:

A metal box containing the backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system. The driver violated the protocols his company had established to ensure secure data transportation.

[…]

The University of Utah Hospitals & Clinics is offering a $1,000 reward for the return of the tapes, no questions asked.

The numbers just do not make sense to me. Another report explains that 1.3 million Social Security numbers were on those tapes.

Here is the recap of how the driver violated his protocol:

The courier picked up the records on June 1. Instead of taking them to a storage center, he worked a second job and then went home, said Shane Manwaring, Salt Lake County deputy sheriff.

The next day, he discovered that someone had broken into his vehicle outside his Kearns home and taken the box, Manwaring said.

The key question, no pun intended, is why the trip was able to include this insecure detour. The obvious answer seems to be that the employee was in need of a second job, in need of a stop at home, and that the storage company had no way of detecting that the box was overdue for “direct route” delivery to a safe spot. The three things could be easily fixed, and I consider them a failure of security management, rather than solely the fault of an operator who made a predictable error. With only only $1,000 offered as a reward I have to wonder how serious anyone would be about security when they transport tapes.

Finally, assuming the tapes are returned, they were still stolen and potentially copied.

Incidentally, no pun intended again, Kearns Utah seems to be a dangerous neighborhood. The Salt Lake Tribune reported a man was shot with his own gun while trying to fight off a “high-dollar merchandise” burglar in his home on May 10th, 2008.

Updated to add (June 12, 2008): Vincent Arnold has been kind enough to post Symantec’s chart of the value of compromised information.

It does not take a rocket scientist to read this and see that a person with tape data from Utah University could be looking at a minimum of $1 per identity, and upwards of $1000 per identity for bank accounts. Compare that to the $1000 total offer for the return of the tape to its owners…