Feeds

US bank loses unencrypted data on 4.5m people

IT finally hits the fan months after tapes go AWOL

Security for virtualized datacentres

Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut.

The Bank of New York Mellon offered people whose details were mislaid identity theft insurance and two years' free credit monitoring, after adding its name to the growing list of organisations hit by customer information security disclosure problems. It said that tapes containing (unencrypted) back up information went missing in two separate incidents both involving third-party couriers. One of the screw-ups involved data held by the bank's shareowner services business while the other involved backup tapes for Working Capital Solutions, its cash payment arm.

Corporate clients affected by the twin breaches have already been notified. The bank is in the process of sending out letters of apology to ordinary Joes affected by the snafus. At least one of the incidents happened on 27 February, but the problem only came to light last week following a subpoena from the Department of Consumer Protection in Connecticut.

Depositors of People’s United Bank or shareholders of John Hancock, Walt Disney Company and TD Bank Financial Group are among the main groups affected. Of 4.5 million potential identity theft victims in total nearly 500,000 live in Connecticut.

Financial information, including Social Security numbers, names, addresses and bank account details has been exposed as a result of the breach.

"The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Connecticut Attorney General Richard Blumenthal.

The Bank of New York Mellon is attempting to calm fears by saying that "there are no indications that the data on the lost tapes has been accessed or misused in any way". What it isn't able to promise is that the data is safeguarded because the data wasn't encrypted. The bank promised a thorough review of its security policies is order to safeguard against a repetition of similar problems in the future.

Ahead of the results of that inquiry the bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media. Where the transmission of backup tapes or CDs is unavoidable the bank has promised to either encrypt the data or include "added controls". Hopefully these added controls will be more robust than simple password protection.

The need to encrypt data contained on physical media and handled by couriers was clear even prior to last year's HMRC data loss debacle. It's doubtful whether the Bank of New York Mellon will be the last firm to get into trouble over lost data on physical media after placing convenience over to security.

A statement from the Bank of New York Mellon on the slip-up can be found here (pdf). More background on the case can be found on the website of the Connecticut AG here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.