Hummingbird Ltd. has lost the private details of 1.3 million student loan clients that were outsourced from TG. The data was on an unspecified piece of equipment that was subsequently lost. Experts at InfoWatch point out that this is a typical example of a data breach occurring during outsourcing. The client company should have made sure that the contractor was capable of ensuring the security of its confidential data. In the near future this factor is likely to become an important selling point for outsourcing companies.
Texas Guaranteed (TG) a Texas-based nonprofit organization that administers student loans recently announced that an outside contractor had lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers. It means a large amount of students and graduates currently face the risk of identity theft, reports ComputerWorld.
There are no details about what kind of equipment was lost, but the incident was reported to the company in late May by Hummingbird Ltd. a Toronto-based company that had been hired by TG to develop a document management system. TG passed on confidential files to Hummingbird within the framework of that agreement, and according to a TG spokeswoman, the company followed recommended security practices and encrypted all the information prior to sending it to Hummingbird. The data was then unencrypted by Hummingbird employees and stored on equipment that later appears to have been lost.
In the announcement distributed by Hummingbird it is stated that there are no grounds to believe that the equipment was stolen to gain access to the private data stored on it. Moreover, the information on the lost device was protected by "security measures," though no details were given as to what they were.
Hummingbird has already filed a lost property report with the police and TG has set up a hotline for its clients. Over the next few weeks TG plans to inform all those affected by the incident, which is unlikely to be an easy task considering 1.3 million letters will have to be posted out or phone calls made.
“This is a typical data breach resulting from outsourcing. The client company didn’t even bother to check beforehand to see how safe it would be to send confidential information to that contractor. I’m certain that after such a large-scale incident the company will be much more careful when outsourcing in the future, and safeguards against data leaks will become a decisive factor when choosing a contractor,” says Denis Zenkin, marketing director at InfoWatch.
Source: ComputerWorld