CNET editor Emily Dreyfuss's fiancé ordered a tie from Banana Republic online. But when the package arrived from Gap Inc., it contained something else entirely: Pages and pages of employee data, including social security numbers. This strange story of a terrible mailroom mishap has been picked up by the AP, but here is Dreyfuss's account in her own words.
Yesterday, Gap Inc. sent my fiancé a package that was surprisingly heavy. It was supposed to be a tie from Banana Republic that he needs for our wedding; instead it contained three packets of confidential employee information, including original W-4 tax forms, hand-written resignation letters, performance reviews, and all kinds of legal notices.
So now we have in our house the Social Security numbers of over 20 former Gap employees.
Here’s the crazier part: this is the second time in three months that confidential employment and financial information has accidentally been sent to us. Two months ago, an Ivy League university mixed up some letters and sent us the employment records for a new professor. They meant to send my fiancé the final documents about his new post-doctoral position.
I believe both of these cases were accidents, but that doesn’t make it any less scary.
After tweeting at Gap Inc., I was direct messaged by a mortified Banana Republic customer service associate named Adam Ross. He apologized for what he called a “clearly horrible mistake by our store.”
“I almost spat out my coffee this morning when I read this,” he said. Banana Republic is going to send us a self-addressed stamped envelope to return the documents to them securely. They are likely also going to comp my fiancé’s tie. The Banana representative said that this incident would be pushed up the chain and if it was deemed the employees concerned needed to be informed of the matter, Gap Inc. would make sure to let them know. “Clearly we have a lot of integrity and want to do the right thing,” Ross said. I believe him. Except he also indicated that this has happened before.
“We are going to do our due diligence. I’m not the one who makes the call, but I will talk to the person who can figure it out to see if we need to contact these employees. We’ve acted accordingly in situations such as this previously. We want to do what’s right,” Ross told me.
Human error happens; we know that. And in a corporation as massive as Gap, with approximately 135,000 employees and over 3,000 stores worldwide, the amount of data being transmitted daily is enormous. But that is all the more reason to handle it extremely carefully.
I’m in a unique position to understand that no harm was probably meant because I’ve actually been on the other side of this unfortunate situation.
Years ago, I was working as personal assistant because I couldn’t find a gig as an editor. On my second day on the job, I accidentally mailed a $40,000 check to Automotive News magazine, and sent an article about a Porsche Roadster to the bank. Oops. That my boss did not immediately fire me is both a miracle and also probably a terrible error on his part. At that age, I wasn’t cut out for the responsibility of having his financial life in my hands.
Back then, I put the wrong label on an envelope. According to Adam Ross, that’s what happened here, too. Individual stores send out both confidential employee information designated for a New Mexico warehouse AND customer orders. Both are sent in the same gray plastic bag, he explained. Someone just switched up the labels.
Knowing that fact, it’s easier for me to understand how this mistake could have happened, and how it could have happened before. The bags should not be the same color, Gap Inc.! One very easy fix would be to make the package that orders come in and the package that internal records are mailed in VERY notably different.
Whoever messed up those labels, like me back in the day, probably shouldn’t have that job. Probably they should do something else. But I also happen to know that they are probably very young adults making just $9 an hour (like all the other employees whose information I have in my hand).
People born in the late '80s, like most of these employees, don’t often interact with the mail. Everything in their life is digital. I have empathy for their situation. But I also don’t want my or your or their information in their hands.
And that’s one of the complicating factors: in an increasingly digital world, we hear about insecure data all the time, but this breach was old-school. It was paper. Just because we live more and more in the cloud doesn’t mean massive institutions like our employers and the IRS aren’t hoarding our vital information in massive physical databases. Our data is out there in all forms. It can be hacked, or it can just be mailed in a perfect bundle to a potential identity thief.
So, to the Gap employee who is probably going to lose your job because of this, I’m sympathetic, but also, let this be a life lesson: take a deep breath and double check important things. Someone could be draining your coworker’s bank accounts right now because you switched two labels.
I think back to my mail mix-up with deep, face-reddening shame. But I got over it and found a job where I never have to mail anything ever. You will, too.
This article is from the archive of our partner The Wire.