Security snafu at Boston Globe exposes subscriber data

An apparent attempt to recycle discarded internal reports has ended up in the compromise of credit card and bank number information belonging to more than 240,000 subscribers of The Boston Globe and Worcester Telegram & Gazette.

The snafu occurred when the account information of The Boston Globe and Telegram & Gazette subscribers who pay for their home delivery subscriptions by credit card was disclosed on the back of more than 9,000 individual routing slips used to label bundles of the Worcester Sunday Telegram, The Boston Globe said in a statement Wednesday. The bank routing information of some Telegram & Gazette subscribers who do not pay by credit card may have also been inadvertently disclosed, the paper said.

Both newspapers are owned by The New York Times Co. and share a computer system.

According to The Boston Globe, discarded reports were recycled as paper used to print the routing slips. The paper was alerted to the compromise by an employee at a store that sells copies of the newspaper, said Alfred Larkin, senior vice president of general administration and external affairs at The Boston Globe. “As soon as senior management became aware of the situation, we dispatched a significant portion of our delivery force and attempted to recover as many of the routing slips as possible,” he said.

So far, about 1,000 of the routing slips have been recovered, Larkin said. “Most of the others we believe have been discarded,” he said.

According to The Boston Globe’s account of the incident, data was printed out twice in recent weeks by business office workers at the Telegram & Gazette and then thrown away to be recycled. In one case, an employee started to print a report, stopped the printing before it was done and discarded the paper; The second time, a different employee began printing out a report, realized it was the wrong one, aborted that job and threw the report out.

A majority of the affected individuals are subscribers to The Boston Globe, he said. The company has already contacted the four major credit card companies and also some of the banks involved in the compromise. Later Wednesday, it will send out letters to the affected individuals informing them of the compromise and any follow-up action they need to take to mitigate exposure to fraud.

“We hope to be able to offer some way of assuring their safety going forward,” Larkin said, adding that no decision has been made on what exactly that might be.

Larkin said he does not know how long recycled internal reports have been used to print routing slips at the Telegram & Gazette, but said the practice was immediately stopped. It was not a practice followed by The Boston Globe.

The paper also set up a hotline, 1-888-665-2644, that subscribers can call to verify whether their information was compromised, he said.

In a statement, publisher Richard Gilman said he regrets the “inconvenience” the incident may cause subscribers. “We deeply value the trust our subscribers place in us and are working diligently to remedy this situation. Immediate steps have been taken internally at The Boston Globe and the Telegram & Gazette to increase security measures for protecting customers’ confidential information,” he said.

Such incidents highlight the need for companies to have a holistic data security and data classification strategy that includes controls for information stored in back-up tapes, storage devices and on paper, said Roberta Witty, an analyst with Stamford, Conn. based Gartner. “Just because it’s not in electronic form doesn’t mean you don’t put controls over it,” she said. “At the end of the day, it is the responsibility of the information security group with the records management group” to ensure that proper controls are in place for sensitive information.

The incident is only the latest in a constantly growing list of major data compromises over the past year or so. Only last week, for instance, Providence Home Services of Seattle and Ameriprise Financial in Minneapolis disclosed separate security breaches involving the compromise of confidential customer data. Providence said it was notifying 365,000 hospice and home health care patients about a theft of back-up tapes containing confidential information. Ameriprise said it was notifying 158,000 customers and 68,000 financial advisories about a possible compromise of their confidential information after a company laptop was stolen.

Similar breaches have hit a variety of companies in recent months, including Bank of America, LexisNexus and ChoicePoint. The compromises have fueled Congressional and federal concerns about data privacy and security. Only last week, the Federal Trade Commission disclosed separate security breaches for its alleged failure to meet its data protection obligations.