The Social Security numbers and other personal information of about 15,000 New York City transit workers has been found on a CD inside a refurbished computer sold by a retailer, according to a letter obtained by The Associated Press.
“While we do not suspect nor have seen any evidence of misuse of the data, every precaution is being taken to ensure that this is the case,” the March 6 letter from Metropolitan Transportation Authority Chief Information Officer Sidney Gellineau said.
The MTA said an investigation is underway “to determine the cause of this security breach.” A complaint also has been filed with the New York Police Department; an NYPD spokesman did not immediately comment.
A spokesman for the MTA, which runs the city transit system and suburban commuter railroads, referred a reporter to the content of the letter for comment.
The Transit Authority said a customer of an unnamed major retailer purchased a refurbished CD drive for her personal use. That customer discovered the drive contained a CD that had a list of about 15,000 active, retired, deceased and former New York City Transit employees, along with certain personal information — including Social Security numbers, dates of birth, earnings information and other data.
The list includes employees holding positions in various titles, and levels throughout the organization, Gellineau said.
Coincidentally, the customer who bought the computer turned out to be an employee of a vendor that works with the Transit Authority. That person reported the discovery to her employer, who returned it to the Transit Authority’s attorney. Gellineau said in the letter that the vendor returned the CD without making a copy.
While thefts of personal information committed by hackers have grabbed headlines lately, experts say it’s also not uncommon for personal data to be exposed accidentally by employees who copy files for work-related purposes and then either lose or forget about them.
Even in those cases, disaster can occur if the information happens to fall into the wrong hands. Exposure of Social Security numbers is particularly dangerous, because that can easily lead to identity theft.
The MTA letter noted that the placement of unencrypted personal information on a CD was a violation of its policy. “We are not aware of any other such violation of the policy.”
(AP)