Forgot your password?
typodupeerror
Privacy The Courts Your Rights Online

BP Loses Laptop With Oil-Spill Claimants' Personal Info 137

Posted by timothy
from the why-cry-over-spilt-milk-oil-and-data? dept.
Oxford_Comma_Lover writes "CNN Reports that BP lost a laptop with the name, address, DOB, and SSNs of everyone who filed claims related to the big oil spill last year. In other words, everyone asking for money from them based on the spill just got their private info misplaced. There has been no allegation of bad faith."
This discussion has been archived. No new comments can be posted.

BP Loses Laptop With Oil-Spill Claimants' Personal Info

Comments Filter:
  • oh, (Score:3, Funny)

    by lolololol (1991780) on Tuesday March 29, 2011 @10:01PM (#35661792)
    How convenient...
    • by PopeRatzo (965947) *

      How convenient...

      And let this be a lesson for anyone else who would seek to extort money from those fine humanitarians at British Petroleum.

      Coincidentally, I saw this earlier today:

      (Reuters) - Shares in oil major BP fell on Tuesday on a report the company's managers could face manslaughter charges following the Gulf of Mexico oil spill, which could lead to much higher fines over the disaster.

      I for one do not welcome our new corporate overlords.

    • Re:oh, (Score:5, Insightful)

      by mwvdlee (775178) on Wednesday March 30, 2011 @02:59AM (#35663660) Homepage

      Never attribute to malice that which is adequately explained by stupidity.

      With such enormous levels of stupidity, the entire company should just be shut down and the entire management thrown into a mental hospital.

    • Not malicious, just another spill. Likely into deep water. It'll now take them three or four months to figure out how to recover it.

  • by Anonymous Coward

    These people defy belief ...

    Do they seek out morons in their corporate recruitment program, or are they just unlucky.

    • by jd (1658)

      The morons are the ones who would work best under the managers. It's not deliberate selection, merely a compatibility issue.

  • SSN? (Score:3, Insightful)

    by innocent_white_lamb (151825) on Tuesday March 29, 2011 @10:07PM (#35661840)

    Why do they need your SSN to process a damages claim?

    • My same thoughts about the DOB too. Driver's license number I could understand, but SSN and DOB? Are they going to fill out a w-4 for them? Maybe a 1099-MISC.

      • They're going to be paying them reparations, or at least some fraction of them... So, yes, there are almost certainly going to be tax implications.

      • by mpe (36238)
        My same thoughts about the DOB too. Driver's license number I could understand, but SSN and DOB?

        Why should only people who drive be able to claim? Even in the parts of the US affected driving is not mandatory...
        • Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check. So, besides toting your social security card and your birth certificate around with you to prove your identity, it's more convenient to use a state issued ID. In this example, I used a driver's license as a quick example of a state issued identification card with a number, since ALL states use a unique number on these cards, be it a driver's license or a plain ID card.

          I don't have anything against th

          • by osu-neko (2604)

            Well, let's see. Most banks require an ID to open an account. Most check-cashers want an ID to cash a check.

            Most banks use some form of identity verification. However, at least the last bank account I opened, this did not involve the presentation of any physical paperwork. I certainly didn't need a birth certificate, I simply told them my SSN, and I didn't present any state issued ID. IIRC, when I opened a bank account back in the 80s I had to go through something like that, but not recently. As for check-cashers, I assume you're talking about people to stand around in the bank talking to people who go in? D

          • Why didn't you say passport? Oh, hang on...

            • Americans are more unlikely to have a passport vs a State issued ID.

              • Americans are more unlikely to have a passport vs a State issued ID.

                But are they more unlikely to have a passport [gyford.com] or be functionally literate [usatoday.com]? For this shitty country's brainwashed masses to take their own unearned "exceptionalism" as an article of faith is just hilarious in the face of the facts.

    • Re:SSN? (Score:4, Informative)

      by nedlohs (1335013) on Tuesday March 29, 2011 @10:19PM (#35661928)

      For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

      Other types aren't but that doesn't mean they don't report them to the IRS anyway.

      • Re:SSN? (Score:4, Interesting)

        by vlm (69642) on Wednesday March 30, 2011 @08:13AM (#35665094)

        For a lost income claim, the money is taxable (just as the income it is supposed to be replacing would be).

        The problem is tax evasion. There's a million "bubba gump shrimp boats" down there, that "on paper" never make more than a couple K of taxable income per year. But under the table they were absolutely raking it in. Cash sales to restaurants. Cash sales at the pier to brokers. Cash sales to general public and/or local fisherman whom happen to be at the pier. The only guy in LA with more cash than a dealer is a fishing boat owner. Now with the spill, there is a huge dilemma of how much money they should get from B.P., what they actually made, or what they reported to the IRS.

        I'm told by relatives in LA that the IRS takes people down because they are so dumb that they buy diesel for their boat on a credit card, so its easily tracked, and they spend more money JUST ON DIESEL than they report as gross income to the IRS. Theres a whole folklore as to which marina cooperates with the feds and which marinas take cash for fuel, and how its better to buy diesel at a "gas" station for cash, pay the diesel road tax, and pour it into your boat, than to get busted, apparently offroad has a dye added so you can't burn it onroad, and boat owners buy the dye to make it look like they're burning marina diesel instead of truck diesel.

        That gives some idea of how bad the tax evasion is down there. I would not be surprised if this is all a show, and the laptop mysteriously is found in the local IRS office.

        • by sys_mast (452486)

          I thought the dye just indicated it was NOT taxed for road use. Meaning if a truck on the road HAS the dye, the get in trouble. However if you use that fuel off road(on water count as off road?) You don't get in trouble for paying a tax that you didn't need to.

          I guess my question is who is out there checking for fuel that was taxed, in a situation where the tax was not required?

          In addition to that, my understanding of that dye, is that it tends to stay in the tank, even after re-filling with non-dye fuel. S

    • by headhot (137860)

      Well, some people have the same name. You dont want to justify not paying a claim to the same person twice would you?

    • by hazem (472289)

      They probably have to file a 1099-something to the IRS for any payments they make to claimants.

      It will be interesting to see if they end up getting a bigger payment for the lost personal data than they will for their ruined lives and environment.

    • The same reason any non-government entity needs it: because it would be more convenient if you had a government-issued serial number, and the closest thing you have to that is your SSN, which they have no right to whatsoever.

      • by Anonymous Coward

        It's actually a federal offense to collect, store and use the SSN of any individual. (of course it hasn't been enforced)

  • Bad Faith... (Score:5, Interesting)

    by aralin (107264) on Tuesday March 29, 2011 @10:07PM (#35661842)

    Any sufficiently big level of stupidity is indistinguishable from malice :)

    Actually it is better for you to assume malice than stupidity, because if you go after a fool, he kinda sorta deserved it anyway, if you think a malicious enemy is stupid, you are gonna pay twice for being fool yourself. Game theory in action. :)

  • by Anonymous Coward

    just misplaced .. it'll turn up any old time ..

  • Huh? (Score:5, Insightful)

    by cultiv8 (1660093) on Tuesday March 29, 2011 @10:16PM (#35661912) Homepage
    Was it not encrypted? How long after it was "discovered" missing was it remotely disabled? Were they able to wipe it? Why do you keep this type of data on a personal laptop? Seriously BP, you guys make a lot of cash, care to tell us how much of this is going into your IT infrastructure to prevent this from happening?
    • Re:Huh? (Score:5, Insightful)

      by Yo Grark (465041) on Tuesday March 29, 2011 @10:32PM (#35662006)

      Oh, IT told them how to securely store the data on the laptop. Him being at the executive level, promptly ignored IT directives because it was "too complicated".

      I'm in a large organization, it's INCREDIBLE what hoops IT makes little ol me jump through to do things on my laptop but Executives routinely able to do and get the most insane stuff happening on their laptop. Autologin because they keep forgetting their passwords? No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....you have ANY idea how fricken hard it is to keep track of not only the main login but all the subsystems we use?

      Oh, what's that? the exec has autologin with roboform installed? And this is allowed HOW? Oh right, they're the execs.

      - Yo Grark

      • Re:Huh? (Score:5, Insightful)

        by PolygamousRanchKid (1290638) on Wednesday March 30, 2011 @04:28AM (#35664064)

        No duh, changed every 20 days, must contain an non-alpha-numeric character, must contain upper and lowercase, not dictionary based, and not similar to the last 20 passwords.....

        I read an editorial a long time ago in the Wall Street Journal, written by a security consultant. The executive had three secretaries working for him, and they had to use the PCs from each other. The executive proudly stated that the passwords needed to be changed every week!

        The consultant said that no one could deal with a different password every week. He did a MacGuyver, and used a pocket knife to open the drawers in one of the secretary's desk. There were the passwords, all written down and stored in the top drawer.

        The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

        • Re:Huh? (Score:4, Informative)

          by vlm (69642) on Wednesday March 30, 2011 @08:20AM (#35665138)

          The point here is that you go off all crazy on security policies that are impossible to follow, someone will find a work-around that defeats the purpose.

          The worst part of your story is the actual failure mode is failure to understand the difference between encryption and authentication.

          You're "supposed" to share encryption keys to transfer data, and you've got a huge known plaintext problem with encryption. So you have to change keys / passwords every week or whatever.

          In comparison, the only person that knows your authentication password is one human. The computer, if done correctly, only knows a salted hash. Changing passwords is cargo cult science, it pointless. Its applying a solution from one problem to a completely unrelated problem. And it makes it worse by making password changing and resetting common and trivialized (in addition to making human management of passwords so difficult that they subvert the system as per your report). Finally it feeds illogic and stupidity, in that good security can be a PITA, therefore anything that is a PITA must be good security, right, and the more of a PITA it is the better the security must be?

      • by dave562 (969951)

        It sounds like IT needs a clue. Where I work they put PGP FDE on every laptop. The option to encrypt is not left up to the user at all. The laptop is encrypted and that is that.

        • Carelessness seems to be part of BP culture throughout the organization, not just in IT matters.
    • by Anonymous Coward

      BP laptops can't be remotely wiped, but they are password protected.

      • "password protected?"

        If the password doesn't get mangled into an encryption key somehow, it's not protecting anything. "Password Protection" on a laptop is like putting up a forty-foot high steel (.. colored.. plastic..) door next to a patio and hoping thieves are too distracted by the door to notice it's not actually enclosing anything.

        • by vlm (69642)

          "Password Protection" on a laptop is like putting up a forty-foot high steel ...

          ... blow-out preventer on a well, and then not keeping its batteries fully charged?

          Just trying to put it in terms B.P. can easily understand given their recent history...

  • speaking of BP... (Score:4, Interesting)

    by magarity (164372) on Tuesday March 29, 2011 @10:34PM (#35662028)

    There hasn't been much coverage lately of how the independent engineering team decided the blowout prevention valve's malfunction was to blame and not some active corporate malfeasance after all. On the other hand, there also hasn't been much coverage of how BP owns a lot of the oil facilities in Libya that the US military is now busy defending.

  • by pankajmay (1559865) on Tuesday March 29, 2011 @10:34PM (#35662030)
    It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

    Shit happens! Seems like they are doing appropriate damage control (by offering free credit monitoring to affected people). And hopefully, as soon as it comes online if it gets turned on by a novice finder/stealer, it will be wiped/locked by the company's software agent.

    Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary. It should be treated like any other company laptop loss, except in this case it had a copy of some rather news-worthy data.
    • by osu-neko (2604)

      It seems they do have a copy of the data (the original article alludes to that) -- so this is in effect just a loss of a laptop that contained a copy of this data.

      Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll

      That whooshing sound you heard when you read the summary was the whole point going over your head. The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

      Such data is usually copied by many on their laptops or devices so they can run some quick analyses or answer questions -- there is nothing out of the ordinary.

      If the data is

      • Indeed. No doubt they put a copy of this data on every laptop, and keep in a public server somewhere so anyone can copy it, so they always have many copies around just in case something like this happens. /eyeroll

        The issue was never that they might no longer have access to the data. The issue is that they aren't doing a particularly good job of making sure not everyone has access to the data.

        You would never know that with the ruckus everyone here was raising at the start of the thread. And by the way - you conveniently ignored the fact that they are doing damage control.

        If the data is sensitive, it shouldn't be copied, it should be accessible in such a way that they can do this without requiring an individual copy of the entire database on the laptop. Alternately, if this isn't feasible for the task that needs to be done on that laptop, then much higher levels of security should be required and extra care should be taken to ensure that the machines that do have the data are not stolen or lost.

        This is only "nothing out of the ordinary" is the sense that irresponsible behavior and gross negligence are nothing out of the ordinary at BP.

        There is a lot of difference between theory and practice. You would know that if you work for a big organization. I am not condoning the lack of precautions on the executive's part -- the executive needs to reprimanded properly, but all I am saying is that this stuff happens.
        True BP may be bad and evil, but this does not mean t

    • by rfrenzob (163001)

      What happens before the laptop in question comes online?

      • What happens before the laptop in question comes online?

        As I said earlier, I am sure that the info is encrypted on the laptop -- it will probably be inaccessible without a proper key. And if the machine comes on, they will be able to wipe it before the OS loads.

        Big organizations usually do hedge for such scenarios and have precautions and procedures in place in such events. You don't think they supply their executives with plain vanilla laptop with Windows on it with no serious authentication measures?

        • What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?
          • What makes you so sure that the info is encrypted on the laptop? Are you assuming that it is? Does the article state that it is?

            I said there is a high probability not that I am completely sure. Are you aware of how organizations work with their IT infrastructure? Or do you just think that they buy computer stuff and distribute it to their employees?
            Any big organization will have a plan in place for such an event as this -- it is fairly common to expect that laptops can be stolen/misplaced. And that I can be 100% sure that they have some procedure and definitely some protection layers for the data.

            I stated this in my last post --

            • Have you ever heard of data getting illicitly retrieved off of stolen laptops? Happens all the time. It seems to me that assuming that they actually did encrypt all sensitive data without knowing that for a fact is incredibly naive.
  • BP can't contain anything.. except payouts to its victims...

  • Why would they want to lose it after paying large sums of cash?

    What other events are going on with BP that would make this a distraction?

    What do they gain about making this front-and-center public?

    • by vlm (69642)

      Why would they want to lose it after paying large sums of cash?

      Well, the IRS is gonna be really pissed, but the general public getting money tax free is going to be happy. Assuming "the general public" got the cash and not some politician. Hmm.

  • there's been a data spill!

    i bet they find the laptop in the Gulf of Mexico.

    • by sethstorm (512897)

      If it were that case, they'd try a few ineffective things and seize proof that their measures were ineffective.

      • by vlm (69642)

        And someone on /. would suggest the best way to cap the data leak would be to nuke it ...

        • by cffrost (885375)

          [...] the best way to cap the data leak would be to nuke it ...

          Hmm... EMP in the laptop's last-seen general vicinity? You may be on to something, vlm.

    • there's been a data spill!

      i bet they find the laptop in the Gulf of Mexico.

      And they're "cleaning it up" with PR just like they "cleaned up" their oil spill with a toxic chemical called Corexit. They're very consistent, in a horrible way.

  • Everyone makes mistakes

  • We can find out if he's American or not. He did file a claim, didn't he?

  • "my dog ate my homework" or the iPhone 4 left in the Silicon Valley bar by the Apple employee?
  • In my mind it seems like a failure in security to have this quantity of personal information on a laptop. If someone needs quick access to it then it should be in a database back in home base with some canned queries for whatever functions are typically needed. This approach should be sufficient anywhere that an internet connection exists. I've never used one myself but my understanding is that these days you can purchase USB sticks that connect to the internet from anywhere in reach of a cell tower and
    • Understatement! At Symantec we didn't even let executives just download all the end-of-quarter high-value orders, and that information was vital to timely earnings estimates! We built them a reporting rdbms with "some canned queries" just like you said, which they could access via VPN or from their offices around the world. But the Finance Department did not offer the whole f'ing database to anybody to take from The Company's offices. That shit just isn't done with valuable data -- data that The Company v

  • "Bad faith" (Score:4, Insightful)

    by rhizome (115711) on Wednesday March 30, 2011 @01:02AM (#35663158) Homepage Journal

    The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.

    • by thegarbz (1787294)
      Ahhh yes policy. I take it you don't work in IT? IT policies in most companies are generally widely regarded as a waste of time to write and are rarely followed. I mean I work for a multinational company who actually had to send out an email communication to all staff saying, "Yes downloading 5GB of porn on your lunchbreak is definitely a breach of the terms of services, which incidentally are longer than a typical EULA and expressly state things such as never keep company information on the desktop, my doc
      • What multinational company? And what are their policies regarding financial data? A bit stricter than their policies on Firefox v. IE, I'll wager.
        • by thegarbz (1787294)
          You make it sound like the end user knows the difference. The policy basically is a catch all to not keep any data anywhere except our personal drives, which they provide us access to from anywhere in the world anyway. I mean we don't go a week without hearing that someone lost a laptop of social security numbers, a customer database, a list of voters, etc. Are you saying these companies all had no IT policy to not to keep sensitive data on a laptop/usb stick?
    • by emt377 (610337)

      The bad faith isn't in losing the laptop, it's in the BP policy allowing workers to have this information on laptops that can be lost.

      At least without crypto to protect it. I keep a lot of sensitive paperwork (contracts, etc) on my laptop, but it goes in an encrypted file system that's only mounted as needed, then unmounted.

  • At this point is there any expectation that actions like this will carry consequences outside of an apology for a company like BP? After the oil spill, the Texas incident and their subsequent handling of both - it seems like an issue like this will disappear from the media's attention span in short order.
  • It doesn't happen that often, but each and every time I read a story about a laptop being lost that held critical information, I'm asking myself the same question: How do you lose a laptop?! I've never personally heard of anyone losing a laptop. Not even misplacing one. One got stolen, but I wouldn't count this as "lost", although it is a loss.

  • Oil leak
    Private-data leak
    What next, Wikileaks?
  • Why would BP need to collect social security numbers?

    • by cffrost (885375)

      Why would BP need to collect social security numbers?

      Maybe so they can try to recoup some of the money they're losing to paying out these claims? I wouldn't put it past 'em. =)

  • We're sorry.... Sorry.

    T.Hayward
  • I'm always amazed at the communities limited understanding of the media world and how it does its reporting. The media is reporting how BP is treating the issue, not what has actually happened. BP is handling this in a worst case scenario: the laptop has been stolen/lost, the information on the laptop has been compromised, and the individual responsible is maliciously using the claimants information in a mischievous way. They have only confirmed they do not have in their possession a laptop with claims info
  • In the age of uniquitous connectivity, why is it that this data is stored locally on a laptop? BP surely has boocoo IT infrastructure, so why didn't they just set up a secure website that their minions could've used to input people's data instead of storing it in Excel on a laptop where it could be lost? Seems to me that it'd be a lot more difficult to lose the data when it's sitting on your SAN which is probably in an access restricted datacenter. Asshats...
  • Why would someone store data on a laptop? Connect through a secure link and get your data from a server that can't be lost. Hacked maybe, but not lost. For crying-out-loud; some IT folks are Duh and not WINNING. Storing shit on a laptop is just retarded. Don't care it is retarded. Store it on a server. I do and Duh, WINNING!
  • So, is BP is trying to implement the "I lost my laptop" excuse to keep from paying all of those claims?

    What I want to know is: why do people store all of this information on individual laptops?
    Things like this have happened so many times before. When will those pinheads learn?

    • by cffrost (885375)

      What I want to know is: why do people store all of this information on individual laptops?

      Two words, mschaffer: Plausible deniability.

  • ...you think this tidbit from the article might have been included in the teaser. Lojack for laptops, encryption and passwords should be required for any company or academic laptop containing sensitive information.

  • Who needs a public image when you have gross mishandling to blame? To the yacht races!

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome

Working...