NEW YORK, N.Y. – The Social Security numbers and other personal information of about 15,000 New York City transit workers has been found on a CD inside a refurbished CD drive sold by a retailer, according to a letter obtained by The Associated Press.
“While we do not suspect nor have seen any evidence of misuse of the data, every precaution is being taken to ensure that this is the case,” the March 6 letter from Metropolitan Transportation Authority Chief Information Officer Sidney Gellineau said.
The MTA said an investigation is underway “to determine the cause of this security breach.” A complaint also has been filed with the New York Police Department; an NYPD spokesman did not immediately comment.
A spokesman for the MTA, which runs the city transit system and suburban commuter railroads, referred a reporter to the content of the letter for comment.
The Transit Authority said a customer of an unnamed major retailer purchased a refurbished CD drive for her personal use. That customer discovered the drive contained a CD that had a list of about 15,000 active, retired, deceased and former New York City Transit employees, along with certain personal information — including Social Security numbers, dates of birth, earnings information and other data.
The list includes employees holding positions in various titles, and levels throughout the organization, Gellineau said.
No hourly employees were on the list, the MTA said.
Coincidentally, the customer who bought the computer turned out to be an employee of a vendor that works with the Transit Authority. That person reported the discovery to her employer, who returned it to the Transit Authority’s attorney. Gellineau said in the letter that the vendor returned the CD without making a copy.
While thefts of personal information committed by hackers have grabbed headlines lately, experts say it’s also not uncommon for personal data to be exposed accidentally.
Beth Diamond, a global claims leader at the insurance company Beazley, said it’s entirely possible that the exposure of the personal information resulted from an act of carelessness. She noted that companies and other entities often donate old equipment to nonprofits, who then may in turn sell the equipment to retailers if they don’t have a use for it. The disc could have accidentally been left inside when that happened.
Employees also will sometimes look for old equipment at their workplaces that they can steal and resell. And it’s possible that a MTA employee copied some data for work-at-home purposes, forgot about the CD and then sold the drive with it inside.
But even in cases where the data is lost and not stolen, disaster can occur. Diamond said there have been cases where businesses such as real estate offices closed down and didn’t properly dispose of their clients’ personal information, which was then found by criminals.
“If the wrong individuals stumble upon it, they can realize that it can be a gold mine,” she said.
In order to prevent accidental breaches, Diamond said many companies put restrictions on employee computers that prevent them from copying files to take home. But no matter how many precautions are taken, breaches caused by human error are inevitable, she said.
The MTA letter noted that the placement of unencrypted personal information on a CD was a violation of its policy. “We are not aware of any other such violation of the policy.”
Eltman reported from Mineola, N.Y. Associated Press writers Jake Pearson and Ken Sweet contributed to this report.