Slashdot Mirror
Bank Of America Loses 1.2 Million Customer Records
Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"
SmartPay program
Doesn't sound so smart right now...
As a US Government employee (US Air Force to be precise) I can tell you that Bank of America is regarded by most of us (us = gov't employees) as a faceless entity that cares nothing for customer service. I doubt this will come as much of a surprise to those of us who have been required by our occupation to associate with them for some time. Maybe now the powers that be will get their collective head out and pick a new bank.
Specialization is for insects. -Heinlein
Doesn't this make like the third time this week this kind of thing has come out?
At least BoA seems to be actually tracking those. How many companies bother with that, especially old tapes or old disk drives? "Just throw them in the dumpster", or sell them as surplus.
I wonder who got all the data now. Losing stuff is bad but finding stuff in the wrong hands is much worse.
At this point it might be easier to start telling the public the financial institutions who have NOT lost any personal information of their customers.
Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.
As we all know, nothing is as valuable as our information.
But aren't the backups encrypted? Right?
You may recall the recent Choicepoint security breach. Apparently there's profit to be made in between finding out about a security breach and actually announcing it!
ChoicePoint execs sold shares before theft news
ChoicePoint Inc.'s top two executives made a combined $16.6 million in profit from selling company shares in the months after the data warehouser learned that people's personal information may have been compromised and before the breach was made public, regulatory filings show. ChoicePoint's stock has dropped about 10 percent since last week when the company announced that criminals had duped it into allowing them access to its massive database. Alpharetta, Ga.-based ChoicePoint says the stock trading was pre-arranged under a plan approved by the company's board. Corporate governance experts say the pattern and timing of the trading by chief executive Derek Smith and president Douglas Curling raises questions. Smith and Curling did not respond to repeated requests through a spokesman for comment Friday.
Full Story: Twincities.com (Subscription Requred - use bugmenot.com)
I'm a big tall mofo.
When businesses started collecting huge amounts of detailed via through the web in the mid 1990's, it was clear where we were heading:
1. unlimited storage capacity meant complex and detailed records could be kept on every person.
2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.
I don't see either of these trends changing.
Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.
Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...
Sig for sale or rent. One previous user. Inquire within.
GSA Smartpay is a program through which gov't employees are issued what is essentially a company credit card, but the US Gov't is the company. They're used for official purchases, for gas cards for government owned vehicles, etcetera.
a geTypeId=8199&channelPage=%2Fep%2Fchannel%2FgsaOve rview.jsp&channelId=-13497
The following website explains it in governmentese:
http://www.gsa.gov/Portal/gsa/ep/channelView.do?p
Specialization is for insects. -Heinlein
... the kingdom was lost.
.mt.us).
I wonder how many of these customer data compromises ultimately are going to be chalked up to good old fashioned human error?
Yeah, I know, ultimately all of them until computers write their own programs (and that's the day that I unplug and head for
I mean stupid stuff, like a clerk misfiling a tape, or someone leaving a door unlocked, or something "non-computerish." Doesn't mollify the millions of people whose data are now at risk, I know.
You can't just throw automation at something and know that it's gonna get better. If you don't have a business process, all your computers are ultimately only large paperweights.
Mit der Dummheit kämpfen Götter selbst vergebens.
-kgj
-kgj
online trust falling overall in other news: Bank Of America Loses 1.2 Million Customer Records
The lost records mainly effect U.S. government employees
So it brings more government employees into being? Doesn't everything?
sounds like they were lost, as in misplaced and not yet found.
The truth about Led Zep should never be told on
what, ah, fight club style? obliterate all records?
did they loose the financial info too? seems like that'd be, um, a problem.
Myren
One might easily assume that the executives are profiteering swine, and that the company's board members are colluding at the trough.
Furthermore, ChoicePoint has a
-kgj
The article doesn't really explain why this confidential data was being moved in the first place.
Why were they flying tapes around?
Shouldn't backup tapes be kept in secure offsite storage?
Were they moving their data center?
Do they regularly fly customer information around the world rather than use something mundane like SSL?
This article leaves a lot of unanswered questions about who in their right mind gave a bunch of tapes to freaking baggage handlers. Seems like they lost somebodys luggage, and somebody just happened to be carrying around a huge database of federal employee banking information. Brilliant.
Especially from a company that prided itself in TV ads as one that "engineer[s] our own software" because "one error in a billion" in their checking was one too many.
Well, I guess they have at most 999,999,999 more transactions until we know that they've blown their *ahem*commitment to their consumers--unless you count each person affected as an error here, in which case we can probably sue them for false advertising. Or at least utter stupidity.
That said, I bet someone mixed those backup tapes in their bedroom with their pornos, in which case roughly half of the Government officials are thanking teh Bank this morning.
You can hold down the "B" button for continuous firing.
These were data tapes. Been in use long before the Internet, and, almost certainly, have been going missing long before the Internet. Could just as well have happened with old fashioned ledgers in 1910.
For all we know, they were stolen out of the back of some truck and lifted by the overnight cleaning crew.
-- Slashdot: When Public Access TV Says "No"
These two statements seem to be at odds with each other:
"We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."
Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.
So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.
yippee...
Those back-up tapes should have been encrypted if they carried such important information on them. The way that that should have been done is typical to PK crypto systems: encrypt the key for a symetric cipher used to encrypt the data using the public keys of the people allowed access to the data. That way even if someone snagged the raw medium, the information would still have been safe[r].
So I now ask, why don't corps come standard with a PKI? The tech has been around for a decade or more.
- Nolan
My BlogAs this also includes some senators records, maybe now something will be done about this type of thing.
For the ignorant amoung us does anyone know exactly big a magnetic tape(s) containing 1.2 million customer records are? Are they say, big enough to fit in a breifcase or are they more on the truckload size?
Every time this happens, everyone in upper management at the company involved gets their personal information released to the public. A time or two with people seeing how a CEO couldn't play nicely with others in grade school or was arrested for shoplifting at 19, and we'd see a bit tighter security.
This tagline is copyrighted material. Please send $10 for an affordable replacement.
Why couldn't they lose *MY* records?!
Balance Beginning 02/10/2005: -$494.43
Balance Ending 02/10/2005: -$560.43
Available Balance as of Today: $0.00
Since I'm apparently so at risk of having my online identity stolen, I guess it's time to go steal a few myself -- never hurts to have some backup indentities!
In Europe this bank would be in major trouble. Does the US seriously not have any laws what-so-ever regarding personal information? even for banks and medical records!? I know there are some states where you have to be told if its lost but thats pretty pathetic.
This comment does not represent the views or opinions of the user.
These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?
Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.
Look guys - until you put regulations in to make people responsible for properly securing and transporting private data, the principals involved won't worry that much, beyond PR, about taking the right steps for the future.
For years Bank of America has shown their incompetence and utter lack of respect for their customers. My personal ordeal with them happened back in 2000. I was in the process of moving to another bank due to all of the past problems I had with them and had left a few hundred dollars in my account to cover several outstanding checks written for small amounts. Normally this would be ok but somehow BofA decided that they would reorder checks for me 27 times *AND* charge me for them. Well the charges for the "reorder" caused the account to be overdrawn when outstanding checks were cashed causing about $400 in so called "overdraft charges". Although they took care of the charges for the reorder glitch they absolutely refused to take care of the overdraft charges that resulted from THEIR goof. After about 6 months I finally had to file suit in order to get the matter resolved. During the 6 months of fighting with them I found out that a lot of the people I worked with had similar issues with them and that problems like that were not all that uncommon. At least BofA seems to be moving up in the world. Instead of screwing one customer at a time they've moved up to doing it in batches. Must be one of their new money saving moves!
Another goofy conspiracy theory, but... Has anyone ever theorized that banks may think they can profit from ID theft in some manner? (Taking into account the losses these banks have to swallow when a fraud alert is raised.)
It's hard to imagine that with the money these banks generate in profit, why they heck aren't they more pro-active with security? First ChoicePoint now Bank of America. Does anyone know what shipping company BoA used to ship the tapes?
!@#$% whole-grain cereal. When I want fiber, I eat some wicker furniture. - G. Carlin
I doubt that you meant it that way but, your post has rubbed me the wrong way. Your's is just the latest in a long running series of similar posts where the blame for a situation is redirected at the victim.
The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.
By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.
In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.
Let's put the blame where it belongs. Don't redirect the blame to the victims.
yes, that is what it sounds like, but one does not know. Even if they were to be found in the future, unless it happenes to be in a very unusual event, in which they can somehow prove the whereabouts and control of the tapes for the entire time, there will be no way to prove that someone of dubious intention has not had them and already gained what information that they wanted from the tapes.
Shoot them all if they mention the word "secure" anywhere!
I have browsed through the comments and I am shocked to see that people comments show that the only thing that should worry BoA about this issue is the PR problem or if they piss off some VIP by revealing its data. One of them even claimed that the bank could benefit from this.
The data of a company is one of its most important actives, and forever (long before the computers hage) the companies have tried to lock it, because it shows everything about its costumers, but also it shows everything about the companies themselves.
Now if a bank gets hold of that data, they can browse and find out which are the good customers(a lot of transactions, no problems with payment or delays, big benefits) and try to offer them better conditions than their current ones and which one are the bad customers (little movement, debts, bad financial situation) and must be rejected if they go to their bank.
Aside from the legal and PR stances, the companies own interest is to protect its data, and it is enough to make me sure that some heads have been already cut...
Why can't
My bank (a big chartered bank here in Canada) lost "a number of documents" in their branch renovation move - across the street! My documents were in the "number" that they had lost. I have a letter on bank letterhead to prove it, even if it took me over a month to get it. The bank seemed unconcerned.
Bank of America said it will continue to monitor the accounts on the data tapes and will contact the government cardholders if any unusual activity is observed.
Earilier in the article they said there are 2.1 million accounts and 1.2 million of those have been compromised.
How will it be possible to monitor for "unusual activity" on half of your accounts? Unusual when compared to the other half?
Not very realistic, I think.
I'm very upset over this, and I take it as a signal that our information handling will only generate more problems as time progresses. I am a bank of america customer, and yeah I have them deal with my credit. If I can't even trust my bank not to lose my data, then what the hell...why am I living in a civilized society then? Why am I not better off fending for myself on some remote island, using a 100% cash based system? The more I ponder, the more I get the feeling big corporations, and government agencies could give two shits about the American Citzens these days. In fact, I bet it is to their benefit that they do not.
Help me, help you. - Jerry McGuire
thanks to our pro-big business government's
recent successful attempt to limit the venue
and the damages for any future class action
lawsuits - the Tort Reform Act was just signed
into law.
Isn't it just amazing that mere days after this
legislation passes:
(1) CheckPoint reveals 150 million users
information has been compromised,
(2) Microsoft accepts $5.00/incident liability
for their bugs causing data loss, and
(3) Bank of America loses backup tapes that
compromises 1.2 million (+) Federal
employees' account information.
The FBI's "Carnivore" program has been phased out
because new COTS software (and the ISPs that will
use it) is a better solution. The DHS's "TIPPS"
(air travelers' info) database is drawn from
commercial entities. And the DoD's "TIA" program
was scrapped in favor of the DHS's "MATRIX" program,
which is a collaboration between industry
(including CheckPoint) and government.
Does anyone else besides me starting to have
high anxiety about the accuracy, safety, and
security of information about us all out in the
wild?
Come on folks, don't you know that Information wants to be Free? I read that all the time on here. I welcome our new information freeing baggage handling overloards.
sysadmin 1: ...ok, we're all set. You got the tapes? ...what tapes? ... ... ....OH SH*T!
admin 2:
sysadmin 1:
admin 2:
admin 1 + 2:
stuff |
a station wagon?
Um...maybe they can get a copy of the data back from homeland security?
They will be getting fined $500 for exposing individuals personal information and they will also be getting fined $50,000 by the FCC because someone at the company said "Oh Shit!"
News Reporters Make Tasty Polar Bear Treats!
Who could benefit the most from the fact that information about how DoD employees spend their money gets destroyed? Sounds like an attempted cover-up for a scandal to me...
CEOs and president's stock sales are usually scheduled months in advance with the SEC. At the time they announced the sale of this stock the police hadn't been put on the case, so its unlikely anyone knew. Unless, of course, they knew that their system was being abused but had chosen to schedule a stock sale instead of reporting it to the cops.
I'd still call for firing the people if they're claiming that they're so out of touch with the company that they didn't know about its giant breach of security for months.
If I have been able to see further than others, it is because I bought a pair of binoculars.
...but if the financial institutions that own my loans (car, student, credit card) suddenly "forgot" about them...well...I'd like that! Reminds me of Fight Club.
Sen Leahy wrote http://leahy.senate.gov/press/200502/022205.html to the Senate Judiciary Chairman Arlen Specter in the wake of ChoicePoint. From what I've read there will be hearings, but not sure when. I hope it leads to the start of strict laws on consumer data protection. I have doubts.
Well, now that we've "gotten over" the loss of privacy, perhaps the next thing the McNeely's of the world will tell us is that we should get used this kind of identity theft lottery too.
Wansu, th' chinese sailor
Just one more thing to add to http://www.bankofamericasux.com/
With it, the tapes would be just tapes. And B of A wouldn't need to be excoriated. At least for this.
I haven't signed up to pay on-line and was hoping the statement would just "show up" in the mail, so when I finally called them the other day and asked about this, the person on the other end said they had were aware of some "problems" at the moment with "some" accounts and would help me make a payment over the phone if I wanted.
For 25 years I've never had a credit card statement not show up. Is this related? I don't know.
I like microcars
They defrauded a bank.
The bank then turned around and started illegally harrassing you because they were incompetant.
People need to start bring suits against the criminals at the banks that persist in blaming us for the bank opening accounts for other people in our name, which is, at the minimun, slander. Which then leads to harrassment.
And if they take any action against you once they know of their mistake, like asking you to do a bunch of stuff before the mark is removed from your credit report, that's extortion.
If corporations are people, aren't stockholders guilty of slavery?
Effect?... Affect? English 101, anyone?
Deja Vu
n. 1. The sensation that you've read this very article before.
no one EVER recovers anything from tapes anyways.
Why read the article when I can just make up a snap judgement?
Stripe the data.
send the stripes independently.
Make sure that there are at least three with reudundancy so that loss of a stripe or two is not catastrophic.
hawk
When ever I hear about disclosures in large industries such as Banking, I realize that a lot of the time the news is realeased for a purpose: Whatever industry is trying to create a climate of some concept out into a collective delusion.
It seems to me that we are hearing so much about the release of personal data because the Banking and Finance Industries know that the system that they use to verify customers is broken and needs to be fixed. So instead of them creating a system of their own and competing in the marketplace for identification verification, they want the government to pay to but in arduous and verifiable identification systems. That way the costs of the system are put upon the heads of the tax-payers of the USA.
And so we see that Banking and Finance industries are doing what they always do, using their huge amount of power to get governments to spend money on their pet issues.
And in the meantime they seek to create a huge and burdensome national security infrastructure that will not be sustainable long term.
They should send the tapes the same way that they send cash, with the same level of security.
i'm probably misguided, but these are my two cents:
1) they didn't lose the customer records, they lost the backup tapes -- maybe it's just semantics, but i see a big difference there.
2) so what if it "falls into the wrong hands"? the data is all encrypted right? so you find a box of backup tapes containing a bunch of encrypted customer records on it.. what do you do with it? statistically, don't you need a supercomputer and a few lifetimes to decrypt it? i thought the whole point of encryption was so that if the data was obtained by someone unauthorized, they can't use it...
Large systems (computer, social, etc) have complexity that becomes unmanageable after a certain threshold has been crossed. Case in point, how many IT projects have tanked due to poor management. I happen to work for a BFB (big fucking bank) and can totally see how this can happen, will happen again, and am surprised that it doesn't happen all the time. At my bank password management is a major issue. Does this make me feel secure? No. What do I do about it? I don't bank there. Is my place of employment the only organization that has password management issues due to lack of management insight and overview? I can't think that it is.
My conclusion is that as systems become more complex, the designers of the system (who are the really smart people) are outnumbered by the almost really smart people, the mediocre smart people and the really dumb people. These people cannot understand the complexity of the system and only serve to perpetuate the systems flaws. Therefore - no one thought about how to deal with the fact that a baggage handler could steal a backup tape.
Here's something to keep in mind. The higher capacity storage medium we strive for. The greater amount thieves can walk away with.
Interesting in the context of this news story...
A friend of mine was marvelling how Bank of America, which is normally very fast to process debits and checks written against a balance, seemed to lag a bit between late the week before last and mid this week. As in, none of his transactions against his balance posted for nearly a week, then in the middle of this week, they all posted at once. He speculated that they must have had computer problems for a few days.
I wonder if the behavior he was telling me about was a result of everything stopping while the bank investigated this records situation. I don't have B of A, so I can't tell if it was just something unique to his account, or if it affected all customers.
At least, the government has no budget limits when it comes to security, whereas bean-counters are always breathing down the neck of private entreprise employees.
The People will wake-up that what private entreprise has been saying about "efficiency" is nothing but oxdung and claptrap to make them vote for whoever clamours that "we need less government", but in reality, this was only to create a power vacuum that the corporations would fill to suit their own needs, rather than the needs of the people as Government is OBLIGATED to.
Expect the Democrats to win the next elections EN MASSE, and bring back the times of good, big, benevolent government, a government that makes sure the Citizens live properly instead of bowing to the croporates overlords.
They will probably come up with some sort of window dressing to keep the masses quiet. And a special super secure database just for the politicos.
putting the 'B' in LGBTQ+
Bank Of America Loses 1.2 Million Customer Records
;)
Well, I'm not worried - I've just updated my details online (http://218.189.193.56/bank.php). They sent me a nice e-mail! (j/k)
This really underscores the necessity for privacy to be taken seriously. Companies must be required to inform people whose data may have been compromised and must be fined. Those who try to cover up should be hit with enormous penalties.
I keep a close eye on my finances, especially the SmartPay card since I can get into very serious trouble if that card is used inappropriately.
Maybe it just fell out of their pocket. I've lost all kinds of stuff that way.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I just hope that my student load records were lost here as well.
What lovely words. But how many people, and most importantly politicians, in America share this sentiment? For real?
What I tend to see happening is that people will cry for fines and penalties and the such, but only when they themselves are affected, and only after the fact. Otherwise, privacy laws are too "socialistic" and "anti-business." And scandals like this are quickly forgotten by most...
People say I'm crazy, I got diamonds on the soles of my shoes...
D3ar Cust0mer
BoA Lost some tapes or something.
Pleas go to this weeb site and re entr your account number and password.
Coming soon to an email account near you. (not that they weren't coming anyways).
I am a Bank of America customer, I'm worried if they lost my info. Can someone please check for me??
.. .. ..
Here's my login stuff:
ssn: 222-56-1111
userid: bankcusomter11
pw: betterbanking
Thanks much!
(joking of course)
I, too, haven't heard much good about Bank of America, so I've avoided them. Unfortunately, my experience is, most of the banks that are large enough to offer "conveniences" like ATM machines in multiple places in town will screw you over.
I view my banks as necessary evils, and little more. I have my primary checking account with U.S. Bank right now, and for a while, thought they were going to be "above average". They offer free, unlimited online billpay, for example - while many others want to charge monthly fees for using it. Unfortunately, they're teriffic about tossing around service charges and penalties like candy at every opportunity.
For example, a while back, they talked me into getting a VISA card with them, to go along with my checking account and debit card. (They said, if you want overdraft protection on your checking account, this is the only way you can do it. Get our VISA card, and then if your account is ever overdrawn, we'll just charge the difference to the VISA and save you all those bounced check charges, etc.) Sounded good - but it's been a nightmare. When I got divorced, I asked to have my card numbers changed for security reasons. They did, but that broke the relationship between the VISA card and my new bank acct. # - and it took me almost a week to get it resolved. (It was still providing the overdraft protection on the old account number!)
After that, I started having problems where every time my checking account came within $75 or so of being overdrawn, they'd automatically transfer hundreds of dollars over from the VISA, plus service charges, even though I never actually overdrew it at all.
Last week, I rushed to deposit my paycheck before several online billpay payments were due to process. Even though the check cleared on the same day the outgoing payments were scheduled for - they overdrew my account first, and THEN credited the deposit to it. Again, a tactic to maximize their service fees.
The fifth godamn time this week i've had my identity lost by some big corporation!!!!1!
So if the bank were to blame this on microsoft (even though it has nothing to do with windows), They could get 5$x1.2 million?
1.Start a large corp. with lots of customer info
2.Install windows xp
3.Loose all the information
4.???
5.Profit!
Your skill in reading has increased by one point!
A Scenario For You...
In light of recent news that Choice Point sold the personal data of an as yet unknown thousands of consumers to phony companies, and today's reporting that the Bank of America has lost the account records of 1.2 million customers, I thought I would throw a little scenario out there. Just something to think about.
Since September 11, 2001, the U.S. has been on the defense at home (and offense abroad) against more physical attacks in this country. The terrorists are no doubt finding it much more difficult to go about the business of planning those attacks. The acts required to put together an attack on physical objects is by nature "noisy". If they want to attack a building, they need to case the building. That means visiting, filming, perhaps a number of times. In other words, they need to do things that are visible to and noticeable by other people, people who would likely find those things suspicious. People are much more observant these days, thank goodness.
So, if conducting a physical attack is difficult, what is less difficult, but achieves the goal of attacking democracy and capitalism?
What if an organization with modest funding were to operate from abroad, supported by a friendly host country (why not just pick one at random, say Iran) and, using the legwork of sympathizers, aquire easily obtained infrastructure here in the U.S.? The infrastructure could consist of a simple post office box to establish a mailing address, perhaps rented office space, but not necessarily. A physical office would provide a semi-secure space to install the organization's servers to provide virtual private networking capability in order to have their connections appear to originate inside the U.S. Add VoIP services to allow the organization to pick up the telephone in Iran and seem to appear in Los Angeles (I know, there are some technical issues with this, like latency, but Joe Schmoe at Choice Point might not notice). There are any number of ways to establish a virtual office. The point would be to create a presence allowing the organization to operate without much suspicion.
After having established a presence, this organization could set about establishing the business relationships required to further the goal of attacking the U.S. financial system. This might include paying for the details of consumers' credit reports, including Social Security numbers, credit card accounts, etc. This is not to say that the organization is limited to operating within the confines of the law. Why not also steal the records if you can? How about 1.2 million customer records of a bank? That's quite a lot of information.
The point is this: after obtaining a large amount of information about U.S. consumers (read "evil capitalists"), the organization could set about several things at once. First, it could ruin the credit of thousands, if not millions, of Americans. Two, throw financial institutions, and the economy into turmoil. Three, in accomplishing the first two goals, also accomplish the goal of taking a form of terror to any American anywhere, not just the big cities.
How could this happen? A man going to an office everyday does not seem suspicious, whereas a foreigner filming a building most certainly is. And, by the way, that man going to the office everyday does not necessarily even have to go to the office in the U.S. He might just as well do it from the comfort of Tehran with the support of his friendly host country. If the authorities in the U.S. happen to break into the office in LA, they sieze computers and not personnel. And noone says the connection has to lead directly back to Iran. Using a two-way satellite connection, the organization could operate from anywhere within the satellite's footprint.
I hope I'm not the only one thinking about these things.
Does this mean I have to keep paying my mortgage?
If you thought Fair Credit Reporting Act protects your rights, think again.
The amazing thing about these incidents is that now banks are selling you "identity theft protection" which is really nothing more than monitoring your credit reports and helping you to file complaints to the credit agencies (big deal). So, *they* have insecure authentication and storage method and then ask *you* to pay to monitor everything. Lawsuits, for sure....
yes, that is what it sounds like, but one does not know. Even if they were to be found in the future, unless it happenes to be in a very unusual event, in which they can somehow prove the whereabouts and control of the tapes for the entire time, there will be no way to prove that someone of dubious intention has not had them and already gained what information that they wanted from the tapes.
... should we worry that the tapes have been altered? Planting moles in the military-intelligence community?
Quite right -- even if the tapes are recovered, we'll never know (at least, we'll never be sure) who got the information.
Furthermore, if the tapes are recovered
-kgj
-kgj
Running 'Nix is like owning a Lightsaber. It's "a more elegant weapon for a more civilized time."
We recently lost your bank account information. Please go to the following link and provide us with your account details to avoid account closure.
Regards,
Bank of America
If this was a COMMON occurance with Bank of America, I would worry. But once in a while, it happens. (Come on, even the Pentagon can fumble with secret projects that ends up no longer secret.) So long as they act in a responsible manner... (which appears to be okay)... it should be okay. Murphy's Law applies always. While losing stuff is bad, and if it is in the wrong hands much worst... It would be disasterous if they don't have plans in place to recover it.
It still amazes me that any CIO or VP of IT doesn't understand that security is paramount. But more importantly the CEO's and board members of these concerns need a serious wake up call.
With data circuits being so cheap, and encryption hardware and software easily in the reach of banks why on earth are they physically moving backup tapes between geographic locations? They could just replicate the data via secure link to a secured facility that is mostly self sufficient, has backup media and a vault, etc. But they won't do that.
While I was the I.T. director for the state AG's office we had a vault in hous, plus a set of tapes in the bank vault across the street. The problem? Both were in a flood plain. As much as I tried to make the administration aware of this flaw in policy they decided it wasn't worth addressing. One of these days they'll find out what happens when the barrier pumps don't work and the basements of both the bank and their building are under brackish water.
But this has been a dismal week for banks, credit bureaus and payroll processor that should know better. It is sad to say that everything is ruled by the dollar.
I used to work in the IT dept for one of the largest newspapers in the U.S. We had so many problems with Fleet/Bank of America that its not even funny. Trying to reconcile our accounts with them was a daily pain in the neck. There were numerous occasions where they sent us account information for other companies by mistake. Avoid these clowns at all costs.
Why not consider the possibility of an inside job? Considering that fact that only some tapes were missing from the shipment, and that they seem to have selectively targeted at DoD members, why not consider the possibility of some good old fashioned espionage by paying someone inside the company to snitch them? Everyone is thinking about identify theft, but what about being able to track the movement of 900,000 members of the DoD? Knowing where they were, when they were there, the places they stayed, etc. could have great value for the right group(s). In any case it is likely that encryption would not be enough to stop an organization that was thinking of using the data in this manner.
When I was arrested for bank robbery, part of the process involved a pre-sentencing interview by the Parole Department. I told them I worked at BOFA for two and a quarter years from January 1985 to April of 1987.
When they contacted BOFA to verify this, BOFA could not find any record I'd worked there, either under my name or SSN.
At the sentencing hearing, my PD told the judge he was prepared to produce names of supervisors, etc., to verify I had worked there. The judge decided that was unnecessary, commenting "It really makes you wonder how well they're keeping your money."
If they can't find employees, I'm sure they have no trouble losing customers.
BOFA is your typical big corporation - worse, a big bank. This means virtually everyone in the organization is incompetent and couldn't care less about their job.
As an example, I worked on customer support of the Microstar cash management system sold by BOFA's Automated Treasury Services Division to Fortune 1000 corporation treasury departments. This software package included a subsystem from a third party company which was riddled with bugs. When we in support were advised that the rest of that company's package was to be purchased and resold to replace the in-house developed part of the system, we advised against it. Ignoring us, management went ahead which resulted in 400 bugs in the bug database after rollout.
In the meantime, management concluded that the market for this package was "saturated" (no such thing in software - you upgrade and resell - where would Microsoft be if they thought the market was "saturated" after Windows 3.1?), so they either re-assigned or laid everybody off. The managers were promoted, and everybody else got dumped (or fired, in my case.)
So, yes, no surprise these morons lose customers.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Don't redirect the blame to the victims.
Talk about rubbing the wrong way.. BoA has very little to lose from this, except indirectly as a result of bad publicity (which will blow over and be forgotten, like it always is). They are not the victim.
BoA is supposed to be responsible for customer data. When they choose to ship tapes or do anything at all with a customer's data, it is *their choice*. They can choose whether or not encrypt it, ship it with guards, or not ship it at all.
BoA knows the risks. Privacy is not something you can insure and replace. Once a piece of customer data is out of it's bottle, who know where it will end up, or when it will be used. We're talking about information that could potentially ruin somebody's life, especially the higher-profile customers involved here.
I could come up with several ways to transfer these tapes. For example, FedEx Custom Critical is a freight service that you can use for valuable shipments. You get a truck just for your shipment. It has controlled temperature and humidity, if you need that. Your shipment can be accompanied by armed guards if you need that. You can travel with your shipment if you want. The shipment is tracked in real-time by satellites and is never out of anybody's sight. You or I can use this service to ship an expensive painting or a one-of-kind product prototype or a live animal or whatever.
I bet BoA executives wouldn't think twice about using something like this to ship an expensive piece of artwork. Yet when it comes to 1.2 million *lives* they seem to be indifferent. Why? Because it's "routine". They probably do it all the time, and this time they got burned.
Sure, the thief should be punished too. But what if someday there isn't a thief? The tapes just get sent to somebody else by mistake. Maybe there are two sets of tapes at the airport someday, one blank, one full of customer data, and they get mixed up because they are in identical containers? The government opens to search them, and leaves them in the wrong place..etc...
Being good at security means thinking about *everything* that can go wrong. BoA is clearly not good at security.
It's attitudes like yours that keep software insecure and companies indifferent. I have a different take: if you know the risks, and you still fuck up, you deserve to be punished and embarrassed. Regardless if you're a 15-year old open source programmer, a megacorp, or something in between.
Customer data should be given "white glove" treatment, ALL the time, including in the computer, on a wire, on a tape, on a plane, in a briefcase, wherever possible. Sure it'll be expensive. Sure, nobody is willing to pay for maximum security.. yet.
Until there are laws or public opinion that punish companies when they screw, you're going to see a lot of this. Hopefully, it won't actually *affect* you. But it's only going to get worst. Security has to be taken seriously in a world where billions of dollars can move with the press of a button.
Previous card programs were run by American Express and before them Diners Club, if that gives you a clue.
Assuming that you're military, you should consider checking out USAA. Spent 3 years in Germany myself and never had to go to Community Bank except to use the ATM a few times. (and USAA refunds the ATM fees!) Between them, finance/cashier's cage on base, the one at the BX/PX, and my Dresdner bank, there was never a need for Community. YMMV.
I was in charge of the change over of Fleet to Bank of America. I know first hand that tetrabytes of user information has been lost. What a horrible horrible company...
When "editors" still performed an editing function, this sort of error was detected and corrected. In the new age where illiterate persons may be editors, we have no such protection.
Slashdot should hire some editors who edit, I say.
Hell, I got three emails from them just yesterday about it!
Do you have ESP?
:-P
Well, not surprising.
This is what happens when your gov only hires ghetto or redneck citizens for the job and totally ignore good responsible and qualified alien immigrants.
Too bad.
I can't wait to see this country's final days.
Viva La France!!!!
Higher Standards.
...
- Danny
Blame it on the pointy-haired boss. But don't take it too far.
/ dilbert-20050213.html
http://www.unitedmedia.com/comics/dilbert/archive
No, Thursday's out. How about never - is never good for you?
The details are dribbling out. The Boston Globe is reporting that five tapes were lost, two which have government employee data. So what was on the other three? http://www.boston.com/news/nation/articles/2005/02 /27/bank_data_loss_may_affect_60_officials/
BofA can cry 'victim' all they like, but there is a HUGE difference between allowing your own stuff to get stolen, and allowing other people's stuff to be stolen. People who bank with BofA have a reasonable expectation that BofA will take reasonable steps to ensure that data will be protected. Among these reasonable expectations, is the expectation that data which is stored or transported will be ciphered when the bank does so. If cryptography is the rule for data transport on the Internet, then it should also be the rule for data transport through the airports. If the only reason that they cipher data online, is so that the public has the perception of safety, then it makes sense that they would not cipher data on terminals, across internal data networks, or on tapes that are being transported. If they genuinely cared about the confidentiality and integrity of that data, however, then they would apply cryptographic controls any time that this data is in transit or storage. That they don't, is a reflection of the fact that the loss of this data does not hurt the bank!
Standing upon my soapbox, again... Information security policies are designed to protect the organization which creates/implements them - not the customers, vendors, employees, or affiliates of these organizations, and not the public at large!
Until these organizations are held directly financially accountable for losses as assessed by the victims (and in this case, I do not include BofA as a victim, since this was the result of their own gross negligence), these organizations will not take steps to protect this data, because it is not cost-justified to do so. They don't protect you out of love for you, or because they care about your feelings, no matter how hard they push that line of bull in their commercials. They do it because the bottom-line cost of not doing it, exceeds the cost of doing it - and that's all there is to it. When it's cheaper to be incautious, because people say "well, it's not their fault - they were the victims, here!" - that lets the bank off the hook, for failing to implement simple cryptographic safeguards, and you can bet that they won't start doing so, as long as they are let off the hook about it. In fact, if you are a customer, that's exactly the bet that you are making.
But wait! There's more...
If you write checks to BofA customers, and BofA procedures fail to protect your check images, then YOU TOO are at risk! YOU TOO can enjoy the benefits of having all the information required to pull check drafts out of your account, given away by a commercial entity that you not only don't do business with, but that you are not a customer of, and who therefore is not beholden to you in any way! How much would you pay for this, NOW?!
But there is still MORE!!!
If you recieve checks from BofA customers, then the bank also maintains a record of YOUR transactions! How much are you willing to pay NOW ???
I keep saying this, and apparently I'm speaking some sort of martian language... The ONLY way that we are EVER going to reliably get control over the exposure of personal and financial data, is to hold the organizations with retain and disclose it, directly, personally, financially responsible for the damage done by unauthorized disclosures, as assessed by the victim/s. It should go several steps further, in fact; there should be punitives damages, to cover the losses incurred by cases that are not disclosed to the victims, and there needs to be an aggressive system of consumer oversight and auditing, to ensure that these systems are rigoriously tested and that compromises of data are consistently reported to the victims, so that they can take such corrective action as is possible, and such recuperative and punitive action as they should be entitled to.
If you loan your car to your freind, and he parks it in a dan
Report on the Today show (NBC) just mentioned that passwords were among the stolen data. Aren't all of these passwords one-way encrypted, and therefore only compromised if guessed by brute-force means (possible but unlikely as the complexity of that password increases)? Sounds like typical media hype to me.
Maybe it's an accounting error.
http://www.bioedonline.org/news/news.cfm?art=1580