For the second time this year, a high-profile financial company has lost a backup tape containing customer data while shipping the tape to an off-site storage facility.
Brokerage company Ameritrade has begun warning about 200,000 current and former customers about the loss of a backup tape containing their personal information, officials said this week.
The news follows Bank of America's admission in February that it lost tapes containing the personal data of 1.2 million federal employees.
The incidents show the vulnerability that companies face when storing backup tapes off site, and could add to growing calls for data encryption and a national data privacy law.
"Companies need to do risk assessments on their backup processes," said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group. "There are far more vulnerabilities than most people think."
Ameritrade discovered the loss in February when it received a damaged package containing a number of backup tapes shipped from its secure facilities in the U.S. Katrina Becker, an Ameritrade spokeswoman, said the shipping company caused the damage to the package.
Ameritrade immediately launched an investigation and learned four tapes were missing, three of which were subsequently recovered at the shipper's facility. The fourth, containing personal information on customers who used the company's service between 2000 and 2003, hasn't been recovered, she said.
"Those tapes were all found within the shipper's facility, which was also secure, so it is highly likely that the remaining tape was lost or destroyed within that facility, but we are still monitoring it," she said. "We do not believe foul play was involved."
Company officials started contacting customers last week, Becker said. She would not name the shipping company responsible for the lost tapes, saying only that it is a global, reputable shipping company with its own secure facilities.
Becker said that while the clients' personal information was stored on the backup tapes, damaging information like Social Security numbers isn't included in all customer records, and it's highly unlikely that credit card numbers were similarly stored on the tapes.
Becker said the information was unencrypted, but the tapes were "nondescript and compressed," and therefore hard to access. She said the company used California's data privacy law as guidance in deciding to notify customers, but went further than that state law requires by notifying customers nationally.
Ameritrade has changed some policies and procedures in response to the mishap, Becker said, but she declined to discuss specifics.
Data theft has become a topic of national concern in recent months. Publisher Reed Elsevier reported the information theft of up to 310,000 individuals and credit-check company ChoicePoint also announced the theft of individual information earlier this year.
The incidences prompted a Congressional hearing to consider legislation that forces data brokers to notify consumers if personal information is compromised. Currently, only the state of California has such a law in place.