Several employees of the Legacy Village (Ohio) Apple store were fired today—both in person and by telephone—after personal information from a repaired computer was mistakenly transferred to another customer’s Macintosh during a data restore operation. According to several sources, the stores have a standard procedure and method of backing up and restoring hard drive data from customer computers brought in for service. The procedure ensures that data from one back-up is completely deleted after the restore to maintain privacy of all customer information. In this case, an employee backed up a customer’s computer to an external hard drive last month and performed the necessary service. However, a previous customer back-up had not been deleted from that hard drive. When the employee restored the data to the repaired computer, it included the back-up from the previous repair customer, including financial data, photos and videos. After the customer picked up the computer, he/she discovered another person’s personal information on the laptop. The customer contacted the Apple store, and an investigation was begun to determine how the privacy breach occurred. According to sources, the store’s video surveillance tapes revealed that 10 employees had not followed Apple’s procedure for making backups and performing restores on customer computers. Today, those employees were fired for violating the company’s customer data security policy. Sources say there remains a question if those who were fired had been properly trained on Apple’s standard backup/restore procedures. The two involved customers were compensated for the employees’ mistake: they were given Apple gift cards, new Mac computers and a subscription to the LifeLock identify theft protection plan.
E-mail this story
Related posts:
{ 19 comments… read them below or add one }
Didn’t happen. No way Apple gave someone “LifeLock” the BS service that’s been fined by the FTC for deceptive practices etc.
Ouch – fired. Yikes … that’s pretty severe.
I think Apple takes the privacy of its customers at heart and I can understand why they are dealing so harshly with employees who are lackadaisical about safeguarding personal data, in spite of all the trainings they have received. This kind of mistakes if not addressed head on, can cause a ton of damage to the company business model.
I work at that location, it most definitely did occur and all the details seem to match what happened, but it was 6 employees fired. Lifelock was purchased for 3 years for both customers.
Management approved the use of these!
Considering Apple has no formal procedure for securing personal data this shouldn’t be surprising. Technicians routinely access personal information during the course of repair, and as far as data transfers go, there is no policy available on how this should be done. Are the DMGs encrypted? What is the data retention policy? What prevents a technician from copying personal data via a USB drive, etc? What specific technical and procedural safeguards are in place to prevent the disclosure of personal information? The answer to these questions speaks for itself.
That is not my experience. I have suggested methods to diagnose problems at the genius bar and they have declined those methods because they would violate Apple’s privacy guidelines. Even after I suggested I was OK with it, they would continue to decline. It very much seems a company policy.
This is absolutely not true. Apple has strict policies for Migrating and Transferring Customer data. A similar event nearly happened at the ARS location I work at. Luckily, it was caught by employees before the customers got their computers back. Apple has a clear guide on how to complete Mac to Mac and PC to Mac data migrations, and it clearly states failure to follow data security policy will result in termination.
Actually Apple does have a very specific policy on customer data. The data is stored on a server in the repair room. This server is not connected to any networks at all, and it is setup with very strict security measures. Granted the Mac Genii that work in the genius room have access to the said data, they typically take their jobs very seriously and don’t get the data mixed between machines. Once a customer picks up the machine from repair, that data is removed off of that server. This IS policy, if someone didn’t delete the information like they are supposed to, then that was an unfortunate mistake. Apple does not hold customer information at all once that machine is out of the store, unless directed by management. Techs typically don’t get involved in customer data, they secure it for repair purposes.
I worked at an Apple Store a long time ago as a genius and I am disconcerted by the posts that I see here.
First, no current Apple employee should be commenting on a website about anything Apple-related. Period. Apple takes it very seriously. I’ve seen employees terminated for violating that.
Second, the policies regarding customer data and privacy are crystal clear and are not anything that should be shirked, ‘interpreted’ or ignored. Hence the firings. I find it very difficult to believe that management approved the use of these external hard drives and actually read or understood the policy. Either way, it was ignorance or a break in policy.
@Gary: How do you know management approved it? Do you also work there?
Since my NDA expired, I’ll share some information. Mind you, these are old policies but I doubt they have changed much.
• DMGs were not encrypted. Systems were backed up by Disk Utility.
• Customer disk images are stored on a standalone server. It is not even connected to a network.
• Immediately after pickup, the data was removed from the server.
• Technicians were forbidden from carrying USB drives in store
There’s not really anything that prevents a technician from doing bad things except their own desire to do the right thing for a customer. Obviously, something at this location was lost along the way. Very unfortunate.
If Apple Corporate were ever to take the complaints against the management at the specific store seriously they would realize the management needed to be replaced several years ago… The firings of the people responsible may be warranted.. however the Titanic didn’t sink because of the decisions of the 3rd class passengers…
As a former Apple “Genius” (terrible job title), I’m not surprised. I liked working for Apple, had a good time there and all, but the store where I worked at, one of the first things that used to be done (and potentially still happens) was go over customer’s photos.
And it was consistently done by most of the genii (I’ll admit, I did it a few times), including the lead. I know there were other stores in this city where that was a “fun” and “usual” practice.
@Jose: high five for he awesome analogy.
LOL, well its happens a lot here in the UK Apple Stores. Nothing like that happens where we sack the boot, just sorry to the customer and their repair is free of charge. ;p
To the comment in the article about “Sources say there remains a question if those who were fired had been properly trained on Apple’s standard backup/restore procedures” – I have to say this seems exactly correct.
As a former Apple Technician – we rarely handled customer data past on their own computer. Backups and the like were very rarely done, and data transfers were always direct one computer to another. I always found the enforcement of data security and the training on keeping private information private lackluster to say the least, and can not say I’m surprised this happened. It was only a matter of time. Apple needs to look at their management for sure!
Not to say that the firing of these employees wasn’t warranted, it sounds like they were carelessly stupid about protecting data, but perhaps this is partly because they were not trained on protecting data!
You pay these kids $10 an hour and expect them to be professionals. You get what you pay for.
I can’t speak to the past or to overseas but I am a Genius right now in a US store and we do NOT do backups for any reason. Corporate policy is that no customer data ever goes on our harddrives or computers nothing.
the customer must do ALL backups at home. if they don’t and we have to wipe the drive etc, tough shit on them. We make them sign a form that says that they have done whatever backups they feel are needed and understand that we do NOT do any kind of data backups or recovery. Not on a computer, a phone or anything.
We are not even allowed to do a data transfer and set up off a hard drive. You gotta bring in a working computer and it goes from your old one to your new one and you take both of them with you.
If these folks were indeed fired it was NOT for failure to properly back up and erase the data. It was that they violated policy and did the back up in the first place, which they were not supposed to do.
Thanks for the additional insights into the Genius repair process. It’s helpful to know that Apple has procedures in place to ensure the confidentiality of data. The procedures simply have to be followed.
This is actually completely incorrect. Apple has a backup procedure that customer’s can pay for before they send machines to Depot for repair. There is a designated server that stores the information that only technicians have access to. I’m not sure what “policy” you’re talking about, but it is far from the facts that Apple does not allow customer backups to be in the store. The ONLY type of backup that techs cannot do is backup customer’s iPhone data. Unless specifically told to do so by a manager, and this is a very specific violation of policy, but managers have the okay under a case by case basis. So I’m calling you out buddy. I think you are full of your “policies” man.
{ 1 trackback }