GMAC Customers' Data Put At Risk By Laptop Theft

A division of GMAC Financial Services has been quietly informing about 200,000 of its customers that their personal data may have been compromised due to the theft of two laptop computers from an employee's car at a regional office near Atlanta.

In a letter to its personal insurance customers, GMAC Insurance indicates that "a random theft" of the laptops from a locked vehicle may have left them vulnerable to identify theft. The letter -- obtained by InformationWeek --indicates that the stolen laptops contained customers' names, addresses, dates of birth, Social Security numbers, credit scores, marital status, and gender. "For incidents like this, government regulatory agencies recommend that you place a fraud alert on your credit file," the letter advises customers. The letter was dated March 12. The theft took place on Jan. 26.

One GMAC Insurance customer who received the letter says he was stunned to learn the company stored such personal data on laptops. "I'm not sure how or who determines what constitutes 'secure' when it comes to customers' personal information," the customer says in an E-mail interview. "However, if company guidelines deem it acceptable to house that data on laptops, in parked cars, then I would question their competence to establish any process and procedure to ensure the security of any data anywhere." The customer, who describes himself as a 30-year IT veteran, asked that his name be withheld.

A spokesman for GMAC Insurance says the company is reviewing its policies in light of the incident. "We are undertaking a comprehensive review of our security policies and procedures," he says. Among other things, he adds, GMAC Insurance now prohibits employees from transporting "certain types of information" on laptops and is evaluating new encryption technologies. The stolen laptops were password-protected but not encrypted, he says. The spokesman says the data was being used for a marketing research project. He declined to say if any employees were disciplined as a result of the theft, which police have not solved.

Corporate security experts generally advise businesses to store sensitive data on secure servers. They usually recommend that employees requiring the data access it through the server via secure lines and not store it locally.