BP has admitted to losing a laptop containing personal details of 13,000 Louisiana residents that had claimed compensation over the Gulf of Mexico oil spill.
The laptop, which was password protected but not encrypted, contained a spreadsheet with names, social security numbers, phone numbers and addresses. It was lost during "routine business travel," a BP spokesperson told the Press Association.
The company added that there is no evidence that the lost data had been misused. Law enforcement agencies have been notified, as have the victims of the data loss, BP said. However, there was a delay of over a month between the laptop going missing and letters going out to the affected individuals. BP said this was because it was carrying out, "due diligence and investigating."
The data on the laptop referred to people that had submitted claims before the Gulf Coast Claims Facility (GCCF) was established in August last year. So far the GCCF has paid out around $2.2bn in compensation to those affected by the Deepwater Horizon explosion and subsequent oil leak.
Encryption specialists Stonewood said this is an opportunity to remind private sector organisations of their responsibility to data protection. "This loss reminds us in the UK that it’s not just the public sector that can come under fire for mishandling data: even the largest of businesses can show inexcusable carelessness with individuals’ sensitive information," said CEO Chris McIntosh.
"Leaving sensitive data on individuals such as this unencrypted is bad enough: when you factor in the legal importance of the data, and the scale of the event which made BP record it in the first place, it becomes inexplicable," continued McIntosh. "Certainly, if this had happened in the UK we’d hope that the ICO would be bringing its full weight down upon BP."