EXCLUSIVE: Laptop Theft Puts GMAC Customers' Data At Risk

A division of GMAC Financial Services has been quietly informing about 200,000 of its customers that their personal data may have been compromised due to the theft of two laptop computers from an employee's car at a regional office near Atlanta.

In a letter to its personal insurance customers, GMAC Insurance indicates that "a random theft" of the laptops from a locked vehicle may have left them vulnerable to identify theft. The letter obtained by InformationWeek indicates that the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status, and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter advises customers. The letter was dated March 12. The theft took place on Jan. 26.

One GMAC Insurance customer who received the letter says he was stunned to learn the company stored such personal data on laptops. "I'm not sure how or who determines what constitutes 'secure' when it comes to customers' personal information," the customer says in an E-mail interview. "However, if company guidelines deem it acceptable to house that data on laptops, in parked cars, then I would question their competence to establish any process and procedure to ensure the security of any data anywhere." The customer, who describes himself as a 30-year IT veteran, asked that his name be withheld.

A spokesman for GMAC Insurance says the company is reviewing its policies in light of the incident. "We are undertaking a comprehensive review of our security policies and procedures," he says. Among other things, he adds, GMAC Insurance now prohibits employees from transporting "certain types of information" on laptops and is evaluating new encryption technologies. The stolen laptops were password-protected but not encrypted, he says. The spokesman says the data was being used for a marketing research project. He declined to say if any employees were disciplined as a result of the theft, which police have not solved.

Corporate security experts generally advise businesses to store sensitive data on secure servers. They usually recommend that employees requiring the data access it through the server via secure lines and not store it locally.

However, such safeguards are often an afterthought at many businesses. "There are not a lot of companies that have good procedures for protecting data, it's common for workers to take sensitive data home on an unprotected laptop," Gartner security analyst Avivah Litan says.

That may be part of the reason why identity theft has become a problem that's costing consumers and businesses billions of dollars. According to research published by the Federal Trade Commission in September, 4.6% of consumers the FTC surveyed reported that they were a victim of some form of identity theft. The FTC estimates that identity theft cost businesses $33 billion in 2002.

Legislators are hoping tougher regulations will help curb the problem. Under a law passed last year in California, companies doing business in that state are required to notify any customers who are California residents of any improper release of their personal data. U.S. Sen. Dianne Feinstein, D.-Calif., has introduced a similar bill at the federal level. Litan believes more high-profile data leaks could lead to more regulation. "The problem is becoming rampant so clearly more action is needed," she says.