Personal information belonging to more than 650,000 US customers of J.C. Penney and other retailers is at risk after the company hired to safeguard the data lost a backup tape.

The information, which was entrusted to a company called GE Money, included social security information for about 150,000 people. The data was on a backup tape that was discovered missing in October from a warehouse maintained by storage company Iron Mountain. While there is no indication the tape was stolen, company officials have been unable to locate it, either.

In a twist of irony, the revelation of the missing information coincided with the debut of a mini documentary on cyber crime in which the chairman and CEO of J.C. Penney, Mike Ullman, speaks about the growing risk posed by online thieves.

At one point in the 20 minute-film, which was produced by security provider Fortify Software, he acknowledges that criminals are actively probing server code for mistakes that will allow them to access J.C. Penney information. He makes no mention of vulnerabilities relating to physical security or business partners.

The disclosure comes a year after TJX Cos., owner of the T.J. Maxx and Marshalls retail chains, suffered a server breach that exposed personal information for as many as 100 million people. Despite it being the world's biggest credit card heist ever and despite revelations security measures failed to meet credit card industry requirements, there's been little measurable backlash on the company. TJX stock has lost less than 1 percent over the past year, compared with a six per cent decline in the S&P 500.

GE Money has offered to pay for 12 months of credit monitoring for anyone whose social security number was lost.

According to the Associated Press, a letter signed by GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident." ®

Related stories

Hannaford cc data thieves planted malware on 300 servers (28 March 2008)
http://www.channelregister.co.uk/2008/03/28/massive_credit_card_breach_explained/
Supermarket loses 4.2 million credit card details (18 March 2008)
http://www.channelregister.co.uk/2008/03/18/hannaford_data_breach/
Boro council in child data theft flap (17 January 2008)
http://www.channelregister.co.uk/2008/01/17/boro_laptop_theft_flap/
Xbox Live account takeovers put users at risk (9 January 2008)
http://www.channelregister.co.uk/2008/01/09/xbox_live_account_takeovers/
Information security breaches quadrupled in 2007 (2 January 2008)
http://www.channelregister.co.uk/2008/01/02/data_breaches_skyrocket/
TJX settles with banks over credit card breach (20 December 2007)
http://www.channelregister.co.uk/2007/12/20/tjx_bank_settlement/
Data breach officials could be sent to the big house (18 December 2007)
http://www.theregister.co.uk/2007/12/18/hmrc_crim_penalties/
S&M blogger outs web host malware attack (14 December 2007)
http://www.theregister.co.uk/2007/12/14/latest_ipower_breach/
Top-secret US labs penetrated by phishers (7 December 2007)
http://www.channelregister.co.uk/2007/12/07/national_labs_breached/
HMRC still looking for disks - just don't ask Microsoft's Santa (7 December 2007)
http://www.theregister.co.uk/2007/12/07/wrap_dec7/