Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bank Of America Loses 1.2 Million Customer Records

Posted by Zonk on from the great-week-for-customer-service dept.

Christopher Reimer writes "C|Net is reporting that Bank of America lost 1.2 million customer records when some backup tapes went missing while being shipped to a backup center. The lost records mainly effect U.S. government employees involved in the SmartPay program. From the article: 'The acknowledgment comes as several other cases of businesses losing consumer information have come to light.'"

23 of 299 comments (clear)

  1. Backup Tapes? by Anonymous Coward · · Score: 1, Insightful

    At least BoA seems to be actually tracking those. How many companies bother with that, especially old tapes or old disk drives? "Just throw them in the dumpster", or sell them as surplus.

  2. So? by BibelBiber · · Score: 2, Insightful

    I wonder who got all the data now. Losing stuff is bad but finding stuff in the wrong hands is much worse.

  3. Well... by JavaMoose · · Score: 5, Insightful
    This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

    Now, I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies. Large corporations only feel something when they lose money, maybe it would send the message that you will be held accountable if you do not take security seriously.

    As we all know, nothing is as valuable as our information.

    1. Re:Well... by reallocate · · Score: 5, Insightful

      This is really getting out of hand. For every case like this we hear about, I wonder if there are a few that get swept under the rug?

      You're hearing about this because of the flap about CheckPoint, and you heard about CheckPoint because of the current flap about identity theft.

      If not for those circumstances, these stories would very likely have been reported in the business press, but otherwise below the general public's radar.

      So, you have no reason to assume that the first appearance of an event on TV or in Slashdot means it never happened before.

      BofA ought, of course, be held responsible for their behavior. I don't know if these cardholders can sue, since the card's were issued to them in conjunction with their federal employment. And, unless they are able to document loss as a result of the loss, I'm not sure what grounds they'd have for a suit.

      That said, BofA just dug itself a big hole for the next contract recompete. Their accountablity may come in the form of losing that recompete. (Don't imagine, though, that a contract of that size will be given to some local mom-and-pop bank.)

      --
      -- Slashdot: When Public Access TV Says "No"
    2. Re:Well... by Anonymous Coward · · Score: 0, Insightful

      I generally frown on lawsuits, but this is one type of case where it works. The people on these lists need to start filing class action lawsuits against these companies.

      Class Action Lawsuits are NOT the answer. If a company does wrong, you can go to the company-sponsored arbitration - it's more fair, and it's extremely unlikely for the arbitration board to hand out significant awards to the victim.

      The problem with class action lawsuits is that the damages caused by the corporation can negatively impact the bottom line of a company.... impact stock prices and real employees... and the cost is ALWAYS passed on to the customer.

      Class action lawsuits only cause more damage, and in the end we need to have faith in the self-regulation of corporations.

    3. Re:Well... by bombadillo · · Score: 2, Insightful

      I used to work in the UK and am a little familiar with the Data Protection Act. We could not access the system from outside of the UK since the systems contained information regarding UK tax data. It's very different over here. I was surprised to find out that large US tax firms send their work over seas to get processed. I don't believe that we have a Data Protection Act which is as robust as the UK.

    4. Re:Well... by TopShelf · · Score: 3, Insightful

      Remember also that you heard about Checkpoint because California law requires that companies inform customers whose data has been comprimised. If this had happened just about anywhere else, it could easily have been swept under the rug.

      --
      Stop by my site where I write about ERP systems & more
    5. Re:Well... by mikeanuzis · · Score: 2, Insightful
      If I may bring something everyone's attention as a network security consultant:

      According to the 2004 FBI/CSI Computer Crime and Security Survey, 53% of polled corporations, government agencies, financial institutions, medical institutions, and universities detected computer security breaches within the last twelve months.

      To speak as if network security is some simple line item an organization would check-off and pay if they "cared" about their customers is utterly ignorant. Yes, there are thousands more organizations getting hacked all the time, losing their customer's information, and you never hear about it. I've done network forensics for three Michigan organizations that have been hacked already this year, and none of them told me "Hey by the way, please take this to the press and let everyone know we got hacked."

      The bottom line is this: No network is 100% secure. Security is not some line item that can be paid for when an organization "cares" about their customers. To speak as though any organization that gets hacked must have been negligent only exposes your ignorance on the topic.

      True, too many organizations purchase firewalls and IDS and think they're secure. Organizations need to learn security is a process. Not a product.

      That's where security consultants provide value.

  4. Encryption? by lachlan76 · · Score: 4, Insightful

    But aren't the backups encrypted? Right?

    1. Re:Encryption? by EvilTwinSkippy · · Score: 3, Insightful

      Yeah, and backups are also barcoded and hand-tranported by courier to and offsite storage/security vault.

      --
      "Learning is not compulsory... neither is survival."
      --Dr.W.Edwards Deming
  5. This has been coming for a _long_ time... by ites · · Score: 5, Insightful

    When businesses started collecting huge amounts of detailed via through the web in the mid 1990's, it was clear where we were heading:

    1. unlimited storage capacity meant complex and detailed records could be kept on every person.

    2. guaranteed incompetence meant these records would be abused, lost, exposed and manipulated.

    I don't see either of these trends changing.

    Applies to both commercial and governmental databases. Chaos, mess, confusion, abuse, on a huge and ever-increasing scale.

    Welcome to the 21st century. You can opt out by unchecking the "Connect to the Internet" box about 10 years ago...

    --
    Sig for sale or rent. One previous user. Inquire within.
  6. Spooky Business by handy_vandal · · Score: 3, Insightful
    According to Time.com ...
    The U.S. official said a large percentage of the accounts are for the Pentagon but that some 40 federal agencies and other entities are affected. Some of the tapes related to non-federal card-holders, the official added. Trower would not comment on which agencies are affected, referring questions to the General Services Administration. A GSA spokesperson had no immediate response to an inquiry about the matter, including whether any of the Pentagon's billions of dollars in secret "black" programs could be affected. Pentagon spokesman Bryan Whitman said the data loss includes files on 900,000 of the Pentagon's three million or so military and civilian workers. "It is a significant number of the Department's employees," he said, declining to say whether it affected any who are working undercover.
    Source
    Spooky business. One wonders ... were these records stolen by domestic agents? Foreign agents? Freelancers?

    -kgj
    --
    -kgj
  7. Not an Internet Issue by reallocate · · Score: 2, Insightful

    These were data tapes. Been in use long before the Internet, and, almost certainly, have been going missing long before the Internet. Could just as well have happened with old fashioned ledgers in 1910.

    For all we know, they were stolen out of the back of some truck and lifted by the overnight cleaning crew.

    --
    -- Slashdot: When Public Access TV Says "No"
  8. at odds by underworld · · Score: 4, Insightful

    These two statements seem to be at odds with each other:

    "We deeply regret this unfortunate incident," Barbara Desoer, who is in charge of technology, service and fulfillment for the Charlotte-based bank, said in a statement. "The privacy of customer information receives the highest priority at Bank of America, and we take our responsibilities for safeguarding it very seriously."

    Sen. Charles Schumer, a New York Democrat, told Reuters that he had been informed by the Senate Rules Committee that the data tapes were likely stolen off a commercial plane by baggage handlers.

    So - they are so concerned about maintaining the security of their data that they gave it (in a very non-descript way mind you) to a group of people outside of their organization who have a history of struggling with integrity.

    yippee...

  9. Re:Well.. by Kn0xy · · Score: 1, Insightful

    Hmm, Doesn't the USAF have a Credit Union of some sort? I know the Navy has Sea-Air, surely should be more options for your banking needs than just that of Bank of America.

  10. most aggravating thing by Anonymous Coward · · Score: 0, Insightful

    These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?

    Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.

    Look guys - until you put regulations in to make people responsible for properly securing and transporting private data, the principals involved won't worry that much, beyond PR, about taking the right steps for the future.

    1. Re:most aggravating thing by YrWrstNtmr · · Score: 3, Insightful
      These records were stolen during transfer on a *commercial airliner*. Why the hell would you put something that important on something you have no control over?
      Sure, the senators are outraged that this happened. But they should be even more outraged that BoA chose to use a method so cheap to transfer critical data.

      Quite a lot of 'critical data' and other items is moved on commercial airlines every day. Backup data such as this, organ transplants, diplomatic pouches, etc.

      The airline is merely a subcontrator of BoA, charged with moving the stuff from A to B. An organization cannot handle everything inhouse. Quite a lot of functions are subcontracted out. The only more secure way would be for BoA to own and operate their own fleet of transport aircraft, with their own baggage handlers, and the data moved from the data center to the airport by their own security personnel, in their own armored trucks.

      Same for a hospital. If they have to send your records somewhere, should the have to do it on their own aircraft?

  11. Re:Well.. by mboverload · · Score: 2, Insightful
    I wish all the senators personal info was stolen by theives and logged and posted to the net by spyware companies.

    Then they might just get a freakin clue.

  12. Annoying by FreeLinux · · Score: 4, Insightful

    I doubt that you meant it that way but, your post has rubbed me the wrong way. Your's is just the latest in a long running series of similar posts where the blame for a situation is redirected at the victim.

    The tapes were believed to be stolen by airport bagage handlers during shipment to BoA's offsite facility, likely another datacenter. It's still under investigation so the news agencies are not yet able to accurately report exactly what happened.

    By all accounts BoA has made reasonable effort to protect its data, its tapes and its customers. BoA, and by proxy its customers, are the victim of theft. The blame lies squarely on the shoulders of the thieves and no where else.

    In ANY incident, there will always be something more that could have been done to prevent the incident from happening. But, it becomes a question or reasonable care. Was reasonable care taken? It certainly seems as if it was in this case.

    Let's put the blame where it belongs. Don't redirect the blame to the victims.

    1. Re:Annoying by Anonymous Coward · · Score: 1, Insightful
      Anyone have any other ideas?

      I'm posting this as AC since I do consulting for a living and some of my clients are financial institutions.

      There is one surefire way to fix this: make the banks directly liable for any data loss. Do not allow them to disclaim resposibility. Implement strict guidelines that require them to disclose any breach of security. Make sure that failure to follow those guidelines results in mandatory jailtime for the company's officers.

      Problem fixed.

  13. Re:Well.. by ScrewMaster · · Score: 3, Insightful

    Yes, and they would most certainly take steps to protect themselves. What that would do for the rest of us is anyone's guess.

    --
    The higher the technology, the sharper that two-edged sword.
  14. What's the Big Deal? by nozzle! · · Score: 1, Insightful

    A Scenario For You...

    In light of recent news that Choice Point sold the personal data of an as yet unknown thousands of consumers to phony companies, and today's reporting that the Bank of America has lost the account records of 1.2 million customers, I thought I would throw a little scenario out there. Just something to think about.

    Since September 11, 2001, the U.S. has been on the defense at home (and offense abroad) against more physical attacks in this country. The terrorists are no doubt finding it much more difficult to go about the business of planning those attacks. The acts required to put together an attack on physical objects is by nature "noisy". If they want to attack a building, they need to case the building. That means visiting, filming, perhaps a number of times. In other words, they need to do things that are visible to and noticeable by other people, people who would likely find those things suspicious. People are much more observant these days, thank goodness.

    So, if conducting a physical attack is difficult, what is less difficult, but achieves the goal of attacking democracy and capitalism?

    What if an organization with modest funding were to operate from abroad, supported by a friendly host country (why not just pick one at random, say Iran) and, using the legwork of sympathizers, aquire easily obtained infrastructure here in the U.S.? The infrastructure could consist of a simple post office box to establish a mailing address, perhaps rented office space, but not necessarily. A physical office would provide a semi-secure space to install the organization's servers to provide virtual private networking capability in order to have their connections appear to originate inside the U.S. Add VoIP services to allow the organization to pick up the telephone in Iran and seem to appear in Los Angeles (I know, there are some technical issues with this, like latency, but Joe Schmoe at Choice Point might not notice). There are any number of ways to establish a virtual office. The point would be to create a presence allowing the organization to operate without much suspicion.

    After having established a presence, this organization could set about establishing the business relationships required to further the goal of attacking the U.S. financial system. This might include paying for the details of consumers' credit reports, including Social Security numbers, credit card accounts, etc. This is not to say that the organization is limited to operating within the confines of the law. Why not also steal the records if you can? How about 1.2 million customer records of a bank? That's quite a lot of information.

    The point is this: after obtaining a large amount of information about U.S. consumers (read "evil capitalists"), the organization could set about several things at once. First, it could ruin the credit of thousands, if not millions, of Americans. Two, throw financial institutions, and the economy into turmoil. Three, in accomplishing the first two goals, also accomplish the goal of taking a form of terror to any American anywhere, not just the big cities.

    How could this happen? A man going to an office everyday does not seem suspicious, whereas a foreigner filming a building most certainly is. And, by the way, that man going to the office everyday does not necessarily even have to go to the office in the U.S. He might just as well do it from the comfort of Tehran with the support of his friendly host country. If the authorities in the U.S. happen to break into the office in LA, they sieze computers and not personnel. And noone says the connection has to lead directly back to Iran. Using a two-way satellite connection, the organization could operate from anywhere within the satellite's footprint.

    I hope I'm not the only one thinking about these things.

  15. This Is No Surprise - BOFA Is Run By Morons by Master+of+Transhuman · · Score: 2, Insightful


    When I was arrested for bank robbery, part of the process involved a pre-sentencing interview by the Parole Department. I told them I worked at BOFA for two and a quarter years from January 1985 to April of 1987.

    When they contacted BOFA to verify this, BOFA could not find any record I'd worked there, either under my name or SSN.

    At the sentencing hearing, my PD told the judge he was prepared to produce names of supervisors, etc., to verify I had worked there. The judge decided that was unnecessary, commenting "It really makes you wonder how well they're keeping your money."

    If they can't find employees, I'm sure they have no trouble losing customers.

    BOFA is your typical big corporation - worse, a big bank. This means virtually everyone in the organization is incompetent and couldn't care less about their job.

    As an example, I worked on customer support of the Microstar cash management system sold by BOFA's Automated Treasury Services Division to Fortune 1000 corporation treasury departments. This software package included a subsystem from a third party company which was riddled with bugs. When we in support were advised that the rest of that company's package was to be purchased and resold to replace the in-house developed part of the system, we advised against it. Ignoring us, management went ahead which resulted in 400 bugs in the bug database after rollout.

    In the meantime, management concluded that the market for this package was "saturated" (no such thing in software - you upgrade and resell - where would Microsoft be if they thought the market was "saturated" after Windows 3.1?), so they either re-assigned or laid everybody off. The managers were promoted, and everybody else got dumped (or fired, in my case.)

    So, yes, no surprise these morons lose customers.

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!