Cord Blood Registry, a private company that stores stem cells from umbilical cords for future medical use, experienced a major data breach in December that could affect up to 300,000 people.
The theft occurred on Dec. 13, 2010 when someone broke into the car of one of the company's employees in San Francisco and stole a bag containing tapes filled with financial data belonging to the company's clients, including names, Social Security numbers and credit card numbers.
The company sent letters to about 300,000 people notifying them of the data breach and offering to pay for a year's worth of credit monitoring services by the credit bureau Experian.
"We are just trying to be open and transparent," said Kathy Engle, Cord Blood Registry's spokesperson.
As soon as the theft was discovered, the company investigated to see what was saved on the tapes, as well as on a Dell laptop, zip drive and external hard drive that were also stolen, said Engle. The company also paid a consulting firm to research whether any of the names and credit card numbers on the tapes are being used to make fraudulent purchases. They found no evidence of misuse so far.
"The tapes were not encrypted," said Engle, "which precipitated our decision to alert our clients and provide them with credit protection because we realized that's what put them at risk."
Many companies don't know how easy it is to protect themselves from such a breach, says Ondrej Krehel, information security officer for Credit.com's sister company, Identity Theft 911.
"Unfortunately, not many businesses realize that encryption of sensitive data is less costly than recovering from a data breach," Krehel says.
By investigating the breach, notifying all potential victims, being open about the details of the breach and changing its security procedures in response, the company did pretty much everything it needed to do respond to such a theft, says Krehel. Providing a year of free credit monitoring is good, and is standard procedure for most companies. But that doesn't necessarily mean that the victims are safe.
"What happens after one year?" says Krehel. "Once our Social Security number is somewhere out there, it could be hard to prevent ID theft in the future."
The Core Blood Registry saves blood from umbilical cords, which is useful in treatment for sickle cell anemia, and in transplant surgeries to minimize the risk of new organs getting rejected by the body. Researchers are studying other potential uses, including regenerating cells to repair damaged tissue.