US bank loses unencrypted data on 4.5m people
IT finally hits the fan months after tapes go AWOL
Couriers lost magnetic tapes containing the personal details of 4.5 million people who had dealt with the Bank of New York Mellon, it has emerged. The incident happened three months ago, but has only surfaced after legal papers were filed in the state of Connecticut.
The Bank of New York Mellon offered people whose details were mislaid identity theft insurance and two years' free credit monitoring, after adding its name to the growing list of organisations hit by customer information security disclosure problems. It said that tapes containing (unencrypted) back up information went missing in two separate incidents both involving third-party couriers. One of the screw-ups involved data held by the bank's shareowner services business while the other involved backup tapes for Working Capital Solutions, its cash payment arm.
Corporate clients affected by the twin breaches have already been notified. The bank is in the process of sending out letters of apology to ordinary Joes affected by the snafus. At least one of the incidents happened on 27 February, but the problem only came to light last week following a subpoena from the Department of Consumer Protection in Connecticut.
Depositors of People’s United Bank or shareholders of John Hancock, Walt Disney Company and TD Bank Financial Group are among the main groups affected. Of 4.5 million potential identity theft victims in total nearly 500,000 live in Connecticut.
Financial information, including Social Security numbers, names, addresses and bank account details has been exposed as a result of the breach.
"The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Connecticut Attorney General Richard Blumenthal.
The Bank of New York Mellon is attempting to calm fears by saying that "there are no indications that the data on the lost tapes has been accessed or misused in any way". What it isn't able to promise is that the data is safeguarded because the data wasn't encrypted. The bank promised a thorough review of its security policies is order to safeguard against a repetition of similar problems in the future.
Ahead of the results of that inquiry the bank has promised to transfer data electronically, where possible, rather than depending on the transport of physical media. Where the transmission of backup tapes or CDs is unavoidable the bank has promised to either encrypt the data or include "added controls". Hopefully these added controls will be more robust than simple password protection.
The need to encrypt data contained on physical media and handled by couriers was clear even prior to last year's HMRC data loss debacle. It's doubtful whether the Bank of New York Mellon will be the last firm to get into trouble over lost data on physical media after placing convenience over to security.
Sponsored: Becoming a Pragmatic Security Leader