A CD containing personal information about thousands of Alcatel-Lucent employees and their dependents has been lost or stolen, the company said on Thursday.The disk contains the names, addresses, Social Security numbers, dates of birth and salary information for U.S. employees who worked for Lucent prior to its merger with Alcatel, as well as Lucent retirees and dependents of both groups, the company said.The disk was prepared by Hewitt Associates, which administers Alcatel-Lucent’s benefits plans, for delivery via United Parcel Service to another contractor, Aon, Alcatel-Lucent said.“We are still investigating this matter, but we believe the disk was lost or stolen between April 5 and May 3,” Alcatel-Lucent told employees in a letter on its website. The company was informed by one of the contractors on May 7 that the disk had gone missing. The information on the disk was not encrypted, said Alcatel-Lucent spokeswoman Mary Lou Ambrus.Alcatel-Lucent is reviewing its security policies to avoid further such incidents, it said. In the meantime it has asked its contractors not to send personal information via courier service. Asked if sending unencrypted personal data via UPS would violate Alcatel-Lucent’s current policy, Ambrus said: “We require our vendors to maintain reasonable measures to protect personal information, and we are investigating how and why this happened.”Representatives of Hewitt Associates could not immediately be reached for comment. Al Orendorff, a spokesman for Aon, said his company never received the disk and declined to speculate about what happened to it. “We’re all looking into this issue and trying to find out what happened and why,” he said.Alcatel-Lucent said it was not aware any of the data had been misused. It has offered those affected a year’s free identity-theft protection and credit monitoring. “We apologize and deeply regret that this has happened,” it said.Ambrus wouldn’t say exactly how many people’s data was lost or stolen, citing the investigation. But the letter to employees indicates that the total could be in the tens of thousands.“If you are an Alcatel-Lucent U.S.-paid employee who worked for Lucent, a Lucent retiree or dependent of an employee or retiree, or a COBRA participant, then your information is on the disk,” the company said. (COBRA, or the Consolidated Omnibus Budget Reconciliation Act, refers to a law covering U.S. health benefits.)Lucent had 17,400 employees in the United States as of Sept. 30, 2006, according to regulatory filings. The disk did not contain credit card numbers, bank account numbers or some other types of sensitive information, the company said. It has opened an internal investigation and has contacted the U.S. Secret Service and state and local police. —James Niccolai, IDG News Service (Paris Bureau) Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe