Feeds

US bank loses unencrypted data on 4.5m people

IT finally hits the fan months after tapes go AWOL

Intelligent flash storage arrays

Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut.

The Bank of New York Mellon offered people whose details were mislaid identity theft insurance and two years' free credit monitoring, after adding its name to the growing list of organisations hit by customer information security disclosure problems. It said that tapes containing (unencrypted) back up information went missing in two separate incidents both involving third-party couriers. One of the screw-ups involved data held by the bank's shareowner services business while the other involved backup tapes for Working Capital Solutions, its cash payment arm.

Corporate clients affected by the twin breaches have already been notified. The bank is in the process of sending out letters of apology to ordinary Joes affected by the snafus. At least one of the incidents happened on 27 February, but the problem only came to light last week following a subpoena from the Department of Consumer Protection in Connecticut.

Depositors of People’s United Bank or shareholders of John Hancock, Walt Disney Company and TD Bank Financial Group are among the main groups affected. Of 4.5 million potential identity theft victims in total nearly 500,000 live in Connecticut.

Financial information, including Social Security numbers, names, addresses and bank account details has been exposed as a result of the breach.

"The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Connecticut Attorney General Richard Blumenthal.

The Bank of New York Mellon is attempting to calm fears by saying that "there are no indications that the data on the lost tapes has been accessed or misused in any way". What it isn't able to promise is that the data is safeguarded because the data wasn't encrypted. The bank promised a thorough review of its security policies is order to safeguard against a repetition of similar problems in the future.

Ahead of the results of that inquiry the bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media. Where the transmission of backup tapes or CDs is unavoidable the bank has promised to either encrypt the data or include "added controls". Hopefully these added controls will be more robust than simple password protection.

The need to encrypt data contained on physical media and handled by couriers was clear even prior to last year's HMRC data loss debacle. It's doubtful whether the Bank of New York Mellon will be the last firm to get into trouble over lost data on physical media after placing convenience over to security.

A statement from the Bank of New York Mellon on the slip-up can be found here (pdf). More background on the case can be found on the website of the Connecticut AG here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.