Blood bank fears ID heist

Delta Blood Bank warns donors after a computer that held personal information is stolen.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
More than 100,000 people who donated to a California blood bank may have parted with more than plasma.

Delta Blood Bank sent a letter Friday to donors, warning them a computer that held their personal information had been stolen and advising them to take steps against identity theft and credit card fraud.

"On Dec. 10, 2004, a thief or thieves stole one of two computers available for donor registration at a mobile blood drive being conducted that day," Delta CEO Benjamin Spindler wrote in the letter. "This computer contained confidential information about you, including your name, address, date of birth and your Social Security number. We deeply regret that this has happened."

Identity theft has emerged one of the thorniest problems of the Internet age, and the threat has turned some missing laptops into potentially catastrophic security breaches. Wells Fargo in October had to warn customers when for the third time in a year computers with sensitive information went missing.

Since July of last year, California has required organizations to notify residents of the state "in the most expedient time possible and without unreasonable delay" if security breaches have exposed residents' personal information. The law applies to breaches of someone's name, plus a Social Security number, driver's license or California ID card number, a financial account number, or a credit or debit card number with a PIN or access code.

Delta's lost laptop, a new Compaq, was stolen outside the St. Paul's Lutheran Church in Tracy, Calif., following a mobile blood bank collection there.

Delta's director of human resources, John O'Neill, said two layers of security could still protect the personal information despite the computer's theft. The first is Microsoft's standard Windows password required to launch the operating system, and the second is the series of steps required to launch what O'Neill described as an "esoteric, unique" database, created by a software provider he declined to name.

"Could a hacker get in there, or someone familiar with those applications?" O'Neill asked rhetorically. "Potentially they could. That's why we sent the letter."

In addition to the letter, which urged donors to register fraud alerts with credit reporting agencies and check their credit ratings quarterly, Delta pledged new security procedures. The blood bank will no longer require Social Security numbers from its donors, and has revised procedures for handling computer hardware and other sensitive equipment.