The company said it was informed by a third-party vendor on 7 May that a disk containing the personal information of an unknown number of current and former employees had been lost or stolen.
Data on the disk included names, addresses, Social Security numbers, birth dates and salary data of Lucent employees and their dependents.
In a statement posted Thursday on its website, the company revealed that credit card, bank or password information was not included on the missing disk.
Alcatel-Lucent reported that the disk was either lost or stolen between 5 April and 3 May after being prepared by Hewitt Associates for delivery by UPS to another vendor, Aon Corporation.
The Murray Hill, N.J.-based firm said it had received no indication that the personal information has been misused, but informed state and local authorities and the US Secret Service about the incident.
The company will also provide affected individuals with a year of identity theft protection and credit monitoring.
Affected personnel can also call 1-866-795-8756 for more information on the incident.
Alcatel-Lucent spokeswoman Mary Ward told SCMagazine.com that the firm is not disclosing the number of affected employees for security reasons. A Friday
report in the
Newark Star-Ledger said the number could be as high as 200,000.
In a statement, Alcatel-Lucent apologized for the data loss.
"We recognise that we have a responsibility to carefully protect this type of information and deeply regret this loss," said Frank D’Amelio, Alcatel-Lucent chief administrative officer.
"We are taking steps to try to prevent this from happening in the future. In the meantime, we will provide information and assistance to our employees and retirees to help them minimize any potential risk this incident could create for them."
Bill Bartow, vice president of product management at Qualys, told SCMagazine.com that corporations should ensure that outside vendors have acceptable data protection policies in place.
"First you have to have good, solid data security policies within your company, and then you have to extend it to other parties, including outsourcers. Then you have to ensure that they follow that policy," he said.
"Certainly you can audit your business partners to ensure that they have best practices in place for data protection. One of the first things many people do is to classify their data and realise that there are certain types of data that should be treated differently."