On December 23rd, Pepsi Bottling Group notified the New Hampshire Attorney General that:
During the week of December 8, the payroll department of The Pepsi Bottling Group (PBG) reported that it could not account for a portable data storage device, which contained unencrypted personal information, including the names and social security numbers of PBG employees in the US. Upon receiving the report of the missing device, the PBG security department conducted a thorough search for the device, but concluded it was lost.
Although the total number of affected employees was not provided in the report, 198 New Hampshire residents were affected. Information on the device also included the employees’ identification number and state of residence.
In an F.A.Q. sent to those affected, Pepsi indicated that a member of PBG’s payroll department had downloaded unencrypted personal information onto a portable data storage device in connection with an audit of payroll information. The F.A.Q. also indicated that although some of the files on the device were password protected, the employee information was in one or more files that were not password protected.
PBG has not responded to inquiries as to whether the situation violated any of its security policies.
Updated 2-15-09: According to the breach report Pepsi filed with NYS, the breach affected 33,923. Unlike other states, NYS’s form asks for the total number of individuals affected and not just the number of state residents. Not all entities provide the requested information, but many do, making NYS’s reports particularly helpful.