Time Warner reported Monday that a shipment of backup tapes with personal information of about 600,000 current and former employees went missing more than a month ago during a routine shipment to an offsite storage site.
The tapes, part of a routine shipment being taken to the site by off-site data storage company Iron Mountain didn't include data about Time Warner customers, the company said in a statement.
The company told employees Monday that the data tapes went missing March 22.
"We are providing current and former employees with resources to monitor their credit reports while our investigation continues. We are working closely and aggressively with law enforcement and the outside data storage firm to get to the bottom of this matter," said Larry Cockell, Time Warner's chief security officer.
The U.S. Secret Service is working with both Time Warner and Boston-based Iron Mountain to investigate the missing tapes.
The $42 billion media company said in a statement that there is no evidence that the data has have been illegally accessed or misused. The company said it has contacted major credit agencies -- Equifax, Experian, and Trans Union -- about the data loss.
After determining that publicizing the data loss wouldn't interfere with the investigation, Time Warner posted a statement about it on its Web site, as well as a letter to its employees about the incident and an FAQ.
In the letter to employees, Time Warner said the missing tapes contained data such as names and Social Security numbers of current and former U.S.-based employees, their dependents and beneficiaries.
Cockell said in the statement to employees that the company has made arrangements with Equifax to offer U.S. employees a free subscription to Equifax's Credit Watch Gold credit monitoring service to help protect identity and credit information for 12 months.
Time Warner's disclosure follows on the heels of other high-profile security breaches in the U.S. In March, a laptop containing data on 100,000 graduate students, alumni and applicants from the University of California, Berkeley, was stolen from a campus office.
Bart Lazar, a privacy and intellectual property lawyer and partner in the law firm of Seyfarth Shaw. in Chicago, said that as data loss incidents pile up, thereÕs greater potential that firms found responsible will have to change their data security standards. Most of the pressure, he said, may come not from Congress but from insurance companies that will require more stringent safeguards before signing with a client.
Part of the problem, Lazar said, is that companies don't have proper chain-of-custody requirements or encyption technology in place.
"I've dealt with many of these companies, and if you ask them what happens with their data ... they can't chart it," he said. "Or the companies know what to do and they just haven't committed the resources to do it. Companies have to deploy their resources. I don't know what SANS [Institute] says the spending on security is, but it's not huge."
Lazar said data loss incidents will also likely give rise to more companies turning to internal data protection schemes instead of using third-party service providers or external data processors.
These big incidents [are] what leads to consciousness raising and may lead to reasonable security standards, he said.
Reuters contributed to this report.