Feeds

US bank loses unencrypted data on 4.5m people

IT finally hits the fan months after tapes go AWOL

5 things you didn’t know about cloud backup

Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut.

The Bank of New York Mellon offered people whose details were mislaid identity theft insurance and two years' free credit monitoring, after adding its name to the growing list of organisations hit by customer information security disclosure problems. It said that tapes containing (unencrypted) back up information went missing in two separate incidents both involving third-party couriers. One of the screw-ups involved data held by the bank's shareowner services business while the other involved backup tapes for Working Capital Solutions, its cash payment arm.

Corporate clients affected by the twin breaches have already been notified. The bank is in the process of sending out letters of apology to ordinary Joes affected by the snafus. At least one of the incidents happened on 27 February, but the problem only came to light last week following a subpoena from the Department of Consumer Protection in Connecticut.

Depositors of People’s United Bank or shareholders of John Hancock, Walt Disney Company and TD Bank Financial Group are among the main groups affected. Of 4.5 million potential identity theft victims in total nearly 500,000 live in Connecticut.

Financial information, including Social Security numbers, names, addresses and bank account details has been exposed as a result of the breach.

"The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Connecticut Attorney General Richard Blumenthal.

The Bank of New York Mellon is attempting to calm fears by saying that "there are no indications that the data on the lost tapes has been accessed or misused in any way". What it isn't able to promise is that the data is safeguarded because the data wasn't encrypted. The bank promised a thorough review of its security policies is order to safeguard against a repetition of similar problems in the future.

Ahead of the results of that inquiry the bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media. Where the transmission of backup tapes or CDs is unavoidable the bank has promised to either encrypt the data or include "added controls". Hopefully these added controls will be more robust than simple password protection.

The need to encrypt data contained on physical media and handled by couriers was clear even prior to last year's HMRC data loss debacle. It's doubtful whether the Bank of New York Mellon will be the last firm to get into trouble over lost data on physical media after placing convenience over to security.

A statement from the Bank of New York Mellon on the slip-up can be found here (pdf). More background on the case can be found on the website of the Connecticut AG here. ®

Next gen security for virtualised datacentres

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.