Feeds

US bank loses unencrypted data on 4.5m people

IT finally hits the fan months after tapes go AWOL

Top 5 reasons to deploy VMware with Tegile

Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut.

The Bank of New York Mellon offered people whose details were mislaid identity theft insurance and two years' free credit monitoring, after adding its name to the growing list of organisations hit by customer information security disclosure problems. It said that tapes containing (unencrypted) back up information went missing in two separate incidents both involving third-party couriers. One of the screw-ups involved data held by the bank's shareowner services business while the other involved backup tapes for Working Capital Solutions, its cash payment arm.

Corporate clients affected by the twin breaches have already been notified. The bank is in the process of sending out letters of apology to ordinary Joes affected by the snafus. At least one of the incidents happened on 27 February, but the problem only came to light last week following a subpoena from the Department of Consumer Protection in Connecticut.

Depositors of People’s United Bank or shareholders of John Hancock, Walt Disney Company and TD Bank Financial Group are among the main groups affected. Of 4.5 million potential identity theft victims in total nearly 500,000 live in Connecticut.

Financial information, including Social Security numbers, names, addresses and bank account details has been exposed as a result of the breach.

"The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Connecticut Attorney General Richard Blumenthal.

The Bank of New York Mellon is attempting to calm fears by saying that "there are no indications that the data on the lost tapes has been accessed or misused in any way". What it isn't able to promise is that the data is safeguarded because the data wasn't encrypted. The bank promised a thorough review of its security policies is order to safeguard against a repetition of similar problems in the future.

Ahead of the results of that inquiry the bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media. Where the transmission of backup tapes or CDs is unavoidable the bank has promised to either encrypt the data or include "added controls". Hopefully these added controls will be more robust than simple password protection.

The need to encrypt data contained on physical media and handled by couriers was clear even prior to last year's HMRC data loss debacle. It's doubtful whether the Bank of New York Mellon will be the last firm to get into trouble over lost data on physical media after placing convenience over to security.

A statement from the Bank of New York Mellon on the slip-up can be found here (pdf). More background on the case can be found on the website of the Connecticut AG here. ®

Remote control for virtualized desktops

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
NOT OK GOOGLE: Android images can conceal code
It's been fixed, but hordes won't have applied the upgrade
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.